Skip to content

Bor-Code/MalwareAnalysisTool

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

118 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

MalwareAnalysisTool

🚨 WARNING / DİKKAT

This tool is intended for educational malware analysis and defensive security research only. Use dynamic analysis only inside an isolated Windows virtual machine. Do not run suspicious files on your main system.

Bu araç eğitim, zararlı yazılım analizi ve savunma amaçlı güvenlik araştırmaları için geliştirilmiştir. Dinamik analiz modunu sadece izole edilmiş Windows sanal makinesinde kullanın. Şüpheli dosyaları ana sisteminizde çalıştırmayın.

MalwareAnalysisTool is a Windows-focused malware analysis project that combines a C++ PE analysis engine with a modern Tauri desktop GUI.

The project supports static PE analysis, experimental dynamic analysis, TXT/JSON report generation, risk scoring, SHA-256 hashing, suspicious API detection, suspicious DLL summaries, section entropy analysis, and a Matrix-themed desktop interface.

The main goal of this project is to provide a lightweight malware analysis workflow for learning, triage, and defensive research.


GUI Preview

MalwareAnalysisTool GUI 1

MalwareAnalysisTool GUI 2

MalwareAnalysisTool GUI 3


Main Features

Static Analysis

Static analysis inspects PE files without executing the target file.

It can extract and report:

  • DOS header validation
  • PE header validation
  • Section information
  • Section entropy values
  • Section risk levels
  • Imported DLLs
  • Imported APIs
  • Suspicious API usage
  • Suspicious API categories
  • Suspicious API severity levels
  • Suspicious DLL summary
  • Target file size
  • SHA-256 hash
  • Static risk score
  • Static risk level
  • TXT and JSON reports

Static mode is safer because it does not execute the analyzed file.


Dynamic Analysis

Dynamic analysis executes the target file using Windows debugging APIs.

It can capture runtime-related events such as:

  • Process-related events
  • File-related events
  • Captured API activity
  • Event timestamps
  • Event IDs
  • Analysis duration
  • Timeout status

Dynamic analysis is experimental.

Use this mode only inside an isolated Windows virtual machine.


Desktop GUI

The project includes a modern Tauri-based desktop GUI.

The GUI provides:

  • Static analysis mode
  • Dynamic analysis mode
  • Native file selection
  • TR/EN language switching
  • Matrix-themed interface
  • Clean / suspicious / high-risk verdict display
  • Risk score display
  • Risk level display
  • SHA-256 display
  • File size display
  • TXT/JSON report preview
  • Dynamic mode timeout input
  • Validation for dynamic analysis file type

The GUI uses the existing pe_analyzer.exe analysis engine in the background.


Project Structure

MalwareAnalysisTool/
├── include/
│   └── analyzer/
│       ├── pe_parser.hpp
│       └── dynamic_analyzer.hpp
├── src/
│   ├── main.cpp
│   ├── pe_parser.cpp
│   └── dynamic_analyzer.cpp
├── gui/
│   ├── src/
│   │   ├── main.ts
│   │   └── styles.css
│   └── src-tauri/
│       ├── src/
│       │   └── lib.rs
│       ├── capabilities/
│       └── tauri.conf.json
├── assets/
│   ├── 1.png
│   ├── 2.png
│   └── 3.png
├── CMakeLists.txt
├── README.md
└── LICENSE

Requirements

CLI Requirements

  • Windows
  • CMake
  • C++17 compatible compiler
  • Visual Studio Build Tools or Visual Studio Community

GUI Requirements

  • Node.js
  • npm
  • Rust
  • Cargo
  • Tauri dependencies for Windows
  • WebView2 Runtime

Build CLI

From the project root:

cmake -B build
cmake --build build --config Release

The CLI executable will be generated at:

build/Release/pe_analyzer.exe

CLI Usage

Help

.\build\Release\pe_analyzer.exe -help

You can also use:

.\build\Release\pe_analyzer.exe --help
.\build\Release\pe_analyzer.exe -h

Static Analysis

.\build\Release\pe_analyzer.exe -static C:\Windows\System32\notepad.exe

With a custom output directory:

.\build\Release\pe_analyzer.exe -static C:\Windows\System32\notepad.exe -out reports

Static analysis does not execute the target file.


Dynamic Analysis

.\build\Release\pe_analyzer.exe -dynamic C:\Windows\System32\notepad.exe

With timeout:

.\build\Release\pe_analyzer.exe -dynamic C:\Windows\System32\notepad.exe -timeout 30

With timeout and custom output directory:

.\build\Release\pe_analyzer.exe -dynamic C:\Windows\System32\notepad.exe -timeout 30 -out reports

Dynamic analysis executes the target file.

Use it only inside an isolated Windows VM.


Run GUI

From the project root:

cd gui
npm install
npm run tauri dev

To build the GUI:

cd gui
npm run build
npm run tauri build

The GUI uses the C++ CLI engine in the background.

Before running GUI analysis, make sure the CLI has been built:

cmake -B build
cmake --build build --config Release

Report Output

Static Analysis Reports

Static analysis generates:

static_analysis_report.txt
static_analysis_report.json

When using -out reports, the files are generated under:

reports/
├── static_analysis_report.txt
└── static_analysis_report.json

Example JSON metadata:

{
  "targetFileSize": 360448,
  "sha256": "ab15a95de88ab0624307ae0e28e333756a2a522f650a0be78749901f7dc32ecf"
}

Example risk summary:

{
  "summary": {
    "risk": {
      "score": 39,
      "level": "Medium"
    }
  }
}

Dynamic Analysis Reports

Dynamic analysis generates:

dynamic_analysis_report.txt
dynamic_analysis_report.json

When using -out reports, the files are generated under:

reports/
├── dynamic_analysis_report.txt
└── dynamic_analysis_report.json

Dynamic reports can include captured runtime events such as:

  • Event ID
  • Timestamp
  • API name
  • Captured event count
  • Timeout status
  • Analysis duration

Static Risk Score

The static risk score is calculated using suspicious API severity and section risk indicators.

Indicator Score
High severity suspicious API +5
Medium severity suspicious API +2
Low severity suspicious API +1
High section risk +3
Medium section risk +1

The score is capped at 100.

Risk levels:

Score Range Risk Level
0-19 Low
20-49 Medium
50+ High

Example:

Overall Risk
Risk Score: 39
Risk Level: Medium

Suspicious API Detection

The static analyzer checks imported APIs and classifies suspicious functions by category and severity.

Example categories include:

  • File activity
  • Registry activity
  • Process activity
  • Memory activity
  • Network activity
  • Service activity
  • Anti-analysis related activity

Example JSON output:

{
  "api": "CreateFileW",
  "dll": "api-ms-win-core-file-l1-1-0.dll",
  "category": "File",
  "severity": "Medium"
}

Suspicious DLL Summary

The analyzer also summarizes suspicious DLL usage.

Example TXT output:

Suspicious DLL Summary
api-ms-win-core-file-l1-1-0.dll: 5
api-ms-win-core-registry-l1-1-0.dll: 3
api-ms-win-core-processthreads-l1-1-0.dll: 2

Example JSON output:

{
  "suspiciousDlls": {
    "api-ms-win-core-file-l1-1-0.dll": 5,
    "api-ms-win-core-registry-l1-1-0.dll": 3,
    "api-ms-win-core-processthreads-l1-1-0.dll": 2
  }
}

SHA-256 and File Metadata

Static reports include file metadata for identification and comparison.

TXT reports include:

Target File Size: 360448 bytes
SHA-256: ab15a95de88ab0624307ae0e28e333756a2a522f650a0be78749901f7dc32ecf

JSON reports include:

{
  "targetFileSize": 360448,
  "sha256": "ab15a95de88ab0624307ae0e28e333756a2a522f650a0be78749901f7dc32ecf"
}

This helps identify analyzed files even if the file name changes.


Safety Notes

  • Static analysis does not execute the target file.
  • Dynamic analysis executes the target file.
  • Dynamic mode should only be used inside an isolated Windows VM.
  • Do not run unknown or suspicious files on your main system.
  • This project is for educational and defensive research purposes.
  • This is not a replacement for professional malware sandboxing solutions.

Current Limitations

  • Dynamic analysis is experimental.
  • Dynamic mode is Windows-only.
  • DLL files should be analyzed with static mode.
  • Dynamic mode is intended for executable files.
  • API capture coverage is limited to implemented hooks.
  • The tool does not perform full behavioral sandboxing.
  • The tool does not replace antivirus or EDR products.

Roadmap

Possible future improvements:

  • Open TXT/JSON report buttons in GUI
  • Export GUI results as PDF
  • More suspicious API categories
  • More detailed process behavior tracking
  • Network behavior summary
  • Registry behavior summary
  • YARA rule support
  • Hash database lookup
  • Improved dynamic analysis stability
  • Better report visualization in GUI
  • Installer support for GUI builds

License

This project is released under the MIT License.


AI Assistance Notice

This project was developed with AI-assisted guidance for planning, code organization, documentation, debugging, UI iteration, and technical explanations.

About

No description, website, or topics provided.

Resources

License

Stars

1 star

Watchers

0 watching

Forks

Packages

 
 
 

Contributors