helps keep Windows
computers free from prevalent malware. MSRT finds and removes threats
and reverses the changes made by these threats. MSRT is generally
released monthly as part of Windows Update or as a standalone tool
available here for download.
Use this tool:
If you have automatic updates for Windows turned off. Windows Update automatically downloads and runs MSRT in the background.
If you suspect an infection from prevalent malware families
is a scan tool designed to find and remove
malware from Windows computers. Simply download it and run a scan to
find malware and try to reverse changes made by identified threats.
Safety Scanner only scans when manually triggered and is available for
use 10 days after being downloaded. We recommend that you always
download the latest version of this tool before each scan.
Hook Analyser :
is a freeware project, started in 2011, to analyse an application during the run-time. The project can be potentially useful in analysing malwares (static and run time), and for performing application crash analysis.
The following sections break down the features (and functionality) of the Hook Analyser, and attempts to answer ‘How-to’ and ‘so-what’ queries.
Application UI – Significant updates have been performed on the latest release (v 2.2) to make it more verbose.
Hook Analyser is a hook tool which could be potentially helpful in reversing application and analyzing malwares.
The tool can hook to an API in a process and can do following tasks.
1. Hook to API in a process
2. Hook to API and search for pattern in memory of a process
3. Hook to API and dump buffer (memory).
It's completely automated where you need not to mention any specific API, it does all by itself and stores result in log file.
Needless to say : Support pattern searches , dump memory content and more..
Following is the change log -
Added new signatures (and removed redundant ones)
Bug fixes - Many thanks for community users to reporting them.
Fixed start-up error.
Release of the Hook Analyser v2.6.
Following is the change log -
-- Added new signatures (and removed redundant ones)
-- Bug fixes - Many thanks for community users to reporting them.
-- Fixed start-up error.
5 key functionalities -
Spawn and Hook to Application - This feature allows analyst to spawn
an application, and hook into it. The module flow is as following -
PE validation
Static malware analysis.
Other options (such as pattern search or dump all)
Type of hooking (Automatic, Smart or manual)
Spawn and hook
Currently, there are three types of hooking being supported –
Automatic – The tool will parse the application import tables, and based upon that will hook into specified APIs
Manual – On this, the tool will ask end-user for each API, if it needs to be hooked.
Smart – This is essentially a subset of automatic hooking however, excludes uninteresting APIs.
2. Hook to a specific running process-The option allows analyst to
hook to a running (active) process. The program flow is –
List all running process
Identify the running process executable path.
Perform static malware analysis on executable (fetched from process executable path)
Other options (such as pattern search or dump all)
Type of hooking (Automatic, Smart or manual)
Hook to a specific running process
Hook and continue the process
3. Static Malware Analysis - This module is one of the most
interesting and useful module of Hook Analyser, which performs scanning
on PE or Widows executables to identify potential malware traces. The
sub-components have been mentioned below (and this is not the full list)
-
PE file validation
CRC and timestamps validation
PE properties such as Image Base, Entry point, sections, subsystem
TLS entry detection.
Entry point verification (if falls in suspicious section)
Suspicious entry point detection
Packer detection
Signature trace (extended from malware analyser project), such as
Anti VM aware, debug aware, keyboard hook aware etc. This particular
function searches for more than 20 unique malware behaviours (using
100’s of signature).
Import intel scanning.
Deep search (module) Online search of MD5 (of executable) on Threat Expert.
String dump (ASCII)
Executable file information
Hexdump
PEfile info dumping
...and more.
4. Application crash analysis - This module enables exploit
researcher and/or application developer to analyse memory content when
an application crashes.This module essentially displays data in
different memory register (such as EIP).
Application crash analysis video demonstration –
http://www.youtube.com/watch?v=msYo7pPsu6A
5. Exe extractor - This module essentially extracts executables from
running process/s, which could then be further analysed using Hook
Analyser , Malware Analyser or other solutions. This module is potentially useful for incident responders