Automated malcode analysis system - read more ->
Visual Basic C C++ Other
Switch branches/tags
Nothing to show
Permalink
Failed to load latest commit information.
dependancy real entropy calc, /ext option (set log file ext), disable dir watch … Jun 10, 2017
source real entropy calc, /ext option (set log file ext), disable dir watch … Jun 10, 2017
.gitattributes simplified and moved injection routines to CProcessInfo class, both h… Sep 19, 2012
.gitignore removed safe_test1 binary from git and install (av detection) Dec 15, 2014
.todo.txt real entropy calc, /ext option (set log file ext), disable dir watch … Jun 10, 2017
ShellExt.exe DumpProcessMemory now chunked, straighten out liProc..used cached info Jul 27, 2016
SysAnalyzer.pdb real entropy calc, /ext option (set log file ext), disable dir watch … Jun 10, 2017
SysAnalyzer_help.chm /outDir command line option Nov 18, 2016
WinPcap_4_1_2.exe added tcpdump option, sniffhit now not promiscious by default, Sleep … May 10, 2012
Win_Dump.exe api_log.dll now hides processes and api_log.dll: char* hide[] = { Jan 8, 2014
api_log.dll mnuKnownDBDisable, bugfix: crash on add known driver (filter list), S… Aug 20, 2016
api_log.x64.dll added api_log.x64.dll - switched over to modified NTCoreHookEngine Sep 20, 2012
api_logger.exe injector save command line when elevating, sysanalyzer ignore ip Oct 8, 2016
av_detections.txt removed safe_test1 binary from git and install (av detection) Dec 15, 2014
build_notes.txt rwe mem scan: save all May 31, 2015
cfg.dat CRegDiff: "\Software\Classes" 'koveter, SDB AppCompatFlags, \Winlogon… May 3, 2017
copy.bat added dll /source/apilog/nosleep Sep 25, 2013
delayed_inject.exe tweaks and bugfixs: rt clk string search, added dll list to report fo… Apr 30, 2016
dir_watch.dll dirwatch_ui now can watch any drive, has drive list, and can watch sp… May 30, 2012
dirwatch_ui.exe filter list integration Feb 25, 2016
enumMutex.dll synced CProcessInfo with updates from proc_lib, cx64 limited query (v… Aug 21, 2016
exploit_sigs.txt base install Sep 8, 2011
full_install_script.iss_ added tools menu to wizard startup form for quick access, Jan 16, 2014
install_script.iss /outDir command line option Nov 18, 2016
known_files.mdb base install Sep 8, 2011
loadlib.exe sysanalyzer now can load dlls, fixed save file on dirwatch form, mods… Mar 7, 2012
nosleep.dll changed to CreateProcessInternalW hook, logger injection now works wi… Feb 5, 2014
proc_watch.exe procwatch added user column, injector bugfix pid lcase Apr 23, 2015
readme.txt added frmMemSearchResults (from memory map rt clk search) - couple bu… Dec 11, 2015
removals.txt multiple process dll diff Feb 27, 2016
shellext.external.txt proc analyzer now built into main exe Nov 25, 2013
sniff_hit.exe generated txt files all renamed to .log so crypto malware more likley… Oct 14, 2015
ssleay_hook.dll dirwatch bug fix, sysanalyzer.cregdiff bugfix Feb 7, 2013
sysAnalyzer.exe real entropy calc, /ext option (set log file ext), disable dir watch … Jun 10, 2017
virustotal.exe proc analyzer now built into main exe Nov 25, 2013
x64.dll added x64 helper project commands: /inject /dlls /dumpprocess /dumpmo… Sep 4, 2012
x64Helper.exe synced CProcessInfo with updates from proc_lib, cx64 limited query (v… Aug 21, 2016
zlib.dll added x64 helper project commands: /inject /dlls /dumpprocess /dumpmo… Sep 4, 2012

readme.txt


Copyright (C) 2005 iDefense, a Verisign Company 
Author: David Zimmer  dzzie@yahoo.com 

Videos:
-------------------------------
updates:          https://www.youtube.com/watch?v=4twR8xtVWPk
apiLogger:        https://www.youtube.com/watch?v=SqdGjihhDoU
original trainer: https://www.youtube.com/watch?v=OPXwKChdO4c
-------------------------------

Installer:  http://sandsprite.com/tools.php?id=13
Help File:  http://sandsprite.com/iDef/SysAnalyzer/

SysAnalyzer is an application that was designed to give malcode analysts an 
automated tool to quickly collect, compare, and report on the actions a 
binary took while running on the system. 

The main components of SysAnalyzer work off of comparing snapshots of the 
system over a user specified time interval. The reason a snapshot mechanism 
was used compared to a live logging implementation is to reduce the amount 
of data that analysts must wade through when conducting their analysis. By 
using a snapshot system, we can effectively present viewers with only the 
persistent changes found on the system since the application was first run. 

While this mechanism does help to eliminate allot of the possible noise 
caused by other applications, or inconsequential runtime nuances, it also 
opens up the possibility for missing key data. Because of this SysAnalyzer 
also gives the analyst the option to include several forms of live logging 
into the analysis procedure. 

Note: SysAnalyzer is not a sandboxing utility. Target executables are run 
in a fully live test on the system. If you are testing malicious code, you 
must realize you will be infecting your test system. 

SysAnalyzer's is designed to take snapshots of the following system 
attributes: 

* Running processes 
* Open ports and associated process 
* Dlls loaded into explorer.exe and Internet Explorer 
* System Drivers loaded into the kernel 
* Snapshots of certain registry keys 

For more information see the chm help file or videos.