.Hi everyone,
This thread is about one of my projects called penalyze2.
Let's start with a brief on what penalyze2 is.
penalyze2 is Free (as in Freedom) Software malware analyzation package that basically emulates both an x86 CPU and a Windows enviroment. It's currently in some sort of alpha state, however, proof-of-concept analyzation is already working with simple helloworld files.
It is currently developed for Unix-like systems (it has only been tested on GNU/Linux x86 at the moment) and could also be described as sandbox.
What it's basically doing is loading a PE file into memory, checking the PE headers and setting up the 'virtual machine' (aka x86 & Windows emulator). After patching all imports it sets the entry point and starts emulating.
The idea here is to provide a researcher with all API calls the malware does plus their arguments. This way you can easily see what the program does to the system and where it for example connects to via the Internet.
What this also means that if we don't want to, executables won't be able to detect a debugger. Additionally executable packers become obsolete as their unpacking code is simply emulated aswell.
As mentioned earlier it is in a late alpha/early beta state right now and a lot of work still needs to be done. As also mentioned above, penalyze2 is Free Software and licensed under the GNU GPL.
The project page can be found at http://sv.gnu.org/projects/penalyze2 and you can also download the project's sourcecode there.
I'm not only writing this thread in order to inform people about penalyze2 but also to ask for help. Emulating an x86 CPU and a Windows enviroment is quite a lot of work and not really a one-man-job, so if you are intersted in helping to develop penalyze2 simply drop me an email.
If anything remains unclear here go ahead and ask your questions. However, you could also download the source code and give it a try yourself (using the included test files).
Critism, as well as additional ideas, etc., is always appreciated.
Regards,
Stephan Peijnik
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}