HydraDragon Tracer

Advanced Forensic Analysis and Tracing Tool

HydraDragon Tracer is a comprehensive forensic analysis tool designed to trace and analyze artifacts across multiple data sources including registry entries, Windows event logs, executables, network traffic, memory, files, and encoded data.

Features

Multi-Source Tracing

• Registry Analysis: Trace Windows Registry entries, autorun locations, services, and installed software
• Windows Event Logs: Parse and analyze EVTX logs including Security, System, Application, Sysmon, PowerShell, and Windows Defender events
• Prefetch Analysis: Analyze Windows Prefetch files for program execution artifacts, run counts, and execution timelines
• PE File Analysis: Analyze portable executables for imports, exports, dependencies, sections, and suspicious patterns
• Network Capture: Real-time packet capture and analysis using Scapy with DNS, IP, TCP/UDP protocol support
• Memory Scanning: Scan process memory for strings and artifacts across running processes
• File System Scanner: Search files with multiple encoding support (UTF-8, UTF-16, ASCII, Latin-1)
• Encoding Analysis: Decode and analyze Base64, Base32, Base32-Crockford, Hex, URL encoding, Unicode escapes, and ROT13
• Dependency Analysis: Trace DLL dependencies, API calls, and file references

Advanced GUI

• Dark Mode Interface: Built with CustomTkinter for modern, professional appearance
• Real-time Updates: Thread-safe result updates with progress tracking
• Multiple Tabs: Organized views for Results, Network Capture, Timeline, Statistics, and Search
• Built-in Search: Search through all trace results with highlighting
  • Case-sensitive/insensitive search
  • Searches across all scan types
  • Highlighted matches with >>>term<<< markers
  • Match count and summary statistics
• Customizable Filters:
  • Deep scan mode
  • Recursive directory scanning
  • Custom regex pattern filtering
• Export Functionality: Export results to JSON format for further analysis

Integration

• HydraDragon Logger: Integrates with HydraDragonAntivirus logging system for comprehensive audit trails
• Batch Processing: Analyze multiple targets in a single session
• Multi-threaded: Non-blocking GUI with background analysis threads

Installation

Prerequisites

• Python 3.12 or later
• Windows OS (Required for registry, event logs, and memory scanning)
• Administrator privileges (Required for network capture and full memory access)

Quick Install

Option 1: Poetry (Recommended)

Poetry provides better dependency management and reproducible builds.

install_poetry.bat

or

.\install_poetry.ps1

See POETRY_SETUP.md for detailed Poetry documentation.

Option 2: Batch Script (Traditional pip)

install.bat

Option 3: PowerShell Script (Traditional pip)

.\install.ps1

Option 4: Manual Install with Poetry

# Install Poetry (if not installed)
curl -sSL https://install.python-poetry.org | python -

# Configure Poetry
poetry config virtualenvs.in-project true

# Install dependencies
poetry install

Option 5: Manual Install with pip

# Upgrade pip
python -m pip install --upgrade pip

# Install dependencies
python -m pip install -r requirements.txt

Dependencies

• customtkinter - Modern GUI framework
• pefile - PE file analysis
• scapy - Network packet capture
• base32-crockford - Crockford Base32 encoding
• logly - Logging framework
• psutil - System and process utilities

Usage

Basic Usage

1. Launch the application:

   With Poetry:

   poetry run python hydra_tracer.py

   With pip:

   python hydra_tracer.py

2. For network capture features (requires Administrator):

   # Right-click Command Prompt/PowerShell
   # Select "Run as Administrator"
   
   # Then run:
   poetry run python hydra_tracer.py  # Poetry
   # or
   python hydra_tracer.py              # pip

Tracing Workflow

1. Enter Target: Input a string, file path, or hash to trace

2. Select Scan Types: Choose which analysis modules to run:

   • Registry Entries
   • Windows Event Logs
   • Prefetch Files
   • PE Imports/Exports
   • Network Traces
   • Memory Artifacts
   • File System
   • Encoding Analysis
   • Dependencies/APIs

3. Configure Options:

   • Enable/disable deep scan
   • Toggle recursive search
   • Set case sensitivity
   • Add custom regex filters

4. Start Trace: Click "Start Trace" to begin analysis

5. View Results: Results appear in real-time across multiple tabs:

   • Results Tab: All findings with detailed context
   • Network Capture Tab: Network-specific results
   • Timeline Tab: Chronological event listing
   • Statistics Tab: Summary statistics
   • Search Tab: Search through all results

6. Search Results (Optional):

   • Go to Search tab
   • Enter search term
   • Click 🔍 Search or press Enter
   • View highlighted matches

7. Export: Save results to JSON for further analysis or reporting

Example Use Cases

Trace a Suspicious String

Target: "malicious_payload"
Scan Types: All enabled
Options: Deep scan, Recursive, Case-insensitive

This will search across:

• Registry keys and values
• Event logs
• Running processes memory
• File system
• Network traffic

Analyze a PE File

Target: C:\Windows\System32\notepad.exe
Scan Types: PE Imports/Exports, Dependencies

This will extract:

• Imported DLLs and functions
• Exported functions
• Section information
• Suspicious API usage
• Dependency chain

Decode Encoded Data

Target: SGVsbG8gV29ybGQ=
Scan Types: Encoding Analysis

This will attempt to decode as:

• Base64
• Base32
• Hex
• URL encoding
• Unicode escapes

Network Traffic Analysis

Target: suspicious-domain.com
Scan Types: Network Traces
Options: Case-insensitive

Captures packets containing the target in:

• DNS queries
• HTTP/HTTPS traffic
• IP addresses
• Packet payloads

Architecture

Module Structure

HydraDragonTracer/
├── hydra_tracer.py              # Main GUI application
├── hydra_logger.py              # Standalone logger
├── modules/
│   ├── __init__.py
│   ├── registry_tracer.py       # Registry analysis
│   ├── event_log_parser.py      # Event log parsing
│   ├── prefetch_tracer.py       # Prefetch file analysis
│   ├── pe_analyzer.py           # PE file analysis
│   ├── network_tracer.py        # Network capture
│   ├── memory_scanner.py        # Memory scanning
│   ├── file_scanner.py          # File system search
│   ├── encoding_analyzer.py     # Encoding detection/decoding
│   └── dependency_analyzer.py   # Dependency tracing
├── pyproject.toml               # Poetry configuration
├── poetry.lock                  # Dependency lock file
├── requirements.txt             # pip dependencies
├── install_poetry.bat           # Poetry installer
├── install_poetry.ps1           # Poetry installer (PS)
├── install.bat                  # pip installer
├── install.ps1                  # pip installer (PS)
└── README.md

Analysis Modules

RegistryTracer

• Scans Windows Registry hives (HKLM, HKCU, HKCR, HKU, HKCC)
• Focuses on important paths (autoruns, services, software)
• Recursive key enumeration with depth limiting
• Matches on key names, value names, and value data

EventLogParser

• Utilizes wevtutil for efficient event log querying
• Parses XML event data
• Tracks suspicious Event IDs (Sysmon, Security, PowerShell)
• Extracts structured event data

PrefetchTracer

• Parses Windows Prefetch files (.pf)
• Supports Windows XP/2003, Vista/7, 8.1, and 10 formats
• Extracts executable names, run counts, execution times
• Builds execution timelines from prefetch data
• Identifies file paths referenced by executables
• Analyzes prefetch hashes for tracking

PEAnalyzer

• Uses pefile library for PE parsing
• Extracts imports, exports, sections, resources
• Calculates section entropy for packing detection
• Identifies suspicious API usage patterns
• Supports both 32-bit and 64-bit executables

NetworkTracer

• Real-time packet sniffing with Scapy
• Protocol support: IP, TCP, UDP, DNS, ARP
• Payload inspection and string matching
• DNS query extraction
• IP address tracking

MemoryScanner

• Enumerates running processes
• Reads process memory regions
• String and byte pattern matching
• UTF-8 and ASCII decoding
• Address-level context reporting

FileScanner

• Multi-encoding support (UTF-8, UTF-16, ASCII, Latin-1, CP1252)
• Text and binary file handling
• SHA256 hash calculation
• Regex pattern filtering
• Size-based file skipping (configurable limit)

EncodingAnalyzer

• Base64 detection and decoding
• Base32 (standard and Crockford) support
• Hexadecimal string decoding
• URL encoding handling
• Unicode escape sequences
• ROT13 detection with word analysis
• Readability heuristics

DependencyAnalyzer

• PE dependency extraction
• Python import tracing
• JavaScript module analysis
• Generic pattern matching (DLLs, APIs, paths, URLs)
• PATH environment scanning

Logging

HydraDragon Tracer integrates with the HydraDragonAntivirus logging system. Logs are stored in:

C:\Users\victim\Documents\GitHub\HydraDragonAntivirus\hydradragon\antivirus_scripts\log\antivirus.log

Log entries include:

• Application initialization
• Trace operations start/stop
• Analysis results
• Errors and exceptions

Security Considerations

Administrator Privileges

Some features require elevated privileges:

• Network Capture: Requires Administrator to access raw sockets
• Memory Scanning: Requires Administrator to read other processes' memory
• Event Log Access: Some logs require Administrator permissions

Performance

• Memory scanning is limited to 20 processes by default
• File scanning limits to 1000 files in common locations
• Registry scanning uses depth limiting to prevent excessive enumeration
• Network capture has a default 10-second timeout

Privacy

• Memory scanning may capture sensitive data from running processes
• Network capture may intercept sensitive network traffic
• All captured data is stored locally only
• No data is transmitted externally

Advanced Configuration

Modify Scan Limits

Edit the module files to adjust limits:

registry_tracer.py:

depth = full_path.count("\\")
if depth < 10:  # Change depth limit

memory_scanner.py:

max_processes = 20  # Change process limit

file_scanner.py:

self.max_file_size = 10 * 1024 * 1024  # Change size limit

network_tracer.py:

self.capture_duration = 10  # Change capture duration (seconds)

Troubleshooting

"Scapy not installed" Error

pip install scapy

"Insufficient permissions" for Network Capture

Run application as Administrator:

# Right-click Command Prompt
# Select "Run as Administrator"
python hydra_tracer.py

"Logger initialization failed"

Ensure HydraDragonAntivirus is properly installed at:

C:\Users\victim\Documents\GitHub\HydraDragonAntivirus

GUI Not Appearing

Check Python version (3.12+ required):

python --version

Reinstall CustomTkinter:

pip install --force-reinstall customtkinter

Contributing

This tool is part of the HydraDragon security suite. For issues or feature requests, please contact the HydraDragon development team.

License

See LICENSE file for details.

Disclaimer

This tool is designed for authorized security analysis, forensic investigation, and educational purposes only. Users are responsible for ensuring they have proper authorization before analyzing systems, networks, or files. Unauthorized use may violate local laws and regulations.

Credits

Developed as part of the HydraDragon Antivirus project.

Uses the following open-source libraries:

• CustomTkinter by Tom Schimansky
• Scapy by Philippe Biondi
• pefile by Ero Carrera
• base32-crockford

---

HydraDragon Tracer - Trace everything, analyze anything.