GithubHelp home page GithubHelp logo

hartl3y94 / qs_old Goto Github PK

View Code? Open in Web Editor NEW

This project forked from tylabs/qs_old

0.0 0.0 0.0 96 KB

Command line tool for scanning streams within office documents plus xor db attack

License: Mozilla Public License 2.0

Shell 0.05% C 82.68% YARA 17.26%

qs_old's Introduction

QuickSand.io

For QuickSand Version 2 written in Python with PDF analysis support, see quicksand.io.

QuickSand Version 1 Lite is no longer being actively developed.

QuickSand is a compact C framework to analyze suspected malware documents to 1) identify exploits in streams of different encodings, 2) locate and extract embedded executables. By having the ability to locate embedded obfuscated executables, QuickSand could detect documents that contain zero-day or unknown obfuscated exploits.

File Formats For Exploit and Active Content Detection

  • doc, docx, docm, rtf, etc
  • ppt, pptx, pps, ppsx, etc
  • xls, xlsx, etc
  • mime mso
  • eml email

File Formats For Executable Detection

  • All of the above, plus PDF.
  • Any document format such as HWP.

Lite Version - Mplv2 License

  • Key dictionary up to 256 byte XOR
  • Bitwise ROL, ROR, NOT
  • Addition or substraction math cipher
  • Executable extraction: Windows, Mac, Linux, VBA
  • Exploit search
  • RTF pre processing
  • Hex stream extract
  • Base 64 Stream extract
  • Embedded Zip extract
  • ExOleObjStgCompressedAtom extract
  • zLib Decode
  • Mime Mso xml Decoding
  • OpenXML decode (unzip)
  • Yara signatures included: Executables, active content, exploits CVE 2014 and earlier

Example results and more info blog post

Full Version - Commercial License

  • Key cryptanalysis 1-1024 bytes factors of 2; or a specified odd size 1-1024 bytes
  • 1 Byte zerospace not replaced brute force XOR search
  • XOR Look Ahead cipher
  • More Yara signatures included: All lite plus most recent exploits 2014-2016 for CVE identification
  • Try the full version online at QuickSand.io

Dependencies (not included)

  • Yara 3.4+
  • zlib 1.2.1+
  • libzip 1.1.1+

Distributed components under their own licensing

  • MD5 by RSA Data Security, Inc.
  • SHA1 by Paul E. Jones
  • SHA2 by Aaron D. Gifford
  • jWrite by TonyWilk for json output
  • tinydir by Cong Xu, Baudouin Feildel for directory processing

Quick Start

  • ./build.sh
  • ./quicksand.out -h
  • ./quicksand.out malware.doc

Documentation

QuickSand.io

Copyright, License, and Trademark

"QuickSand.io" name and the QuickSand application logo are Copyright 2016 Tyler McLellan and Tylabs and their use requires written permission from the author.

Source code quicksand.c, libqs.h, libqs.c and the yara signatures except where noted are Copyright 2016 Tyler McLellan and Tylabs.

See included Mozilla Public License Version 2.0 for licensing information.

qs_old's People

Contributors

bartblaze avatar tylabs avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.