cmatthewbrooks / r2kit Goto Github PK
View Code? Open in Web Editor NEWA set of scripts for a radare-based malware code analysis workflow
A set of scripts for a radare-based malware code analysis workflow
After updating r2 on 24 Feb (I don't know how long it had been since my previous update or what version I was using), I noticed my implementation to rename imports stopped renaming as expected.
It seems r2 changed the JSON object returned by "pdfj" so that now ops['disasm'] needs to be parsed instead of ops['opcode'].
This should be an easy fix next time I jump into bug fixes.
Line 55 in e301720
All the json commands should use r2.cmdj and not r2.cmd, r2.cmdj returns proper python dictionnary without need of manual parsing which is prone to error and ineficient.
If the binary wasn't previously analyzed, an exception is thrown:
[0x0001691c]> [22:08 edu@localhost armeabi-v7a] > r2 libtarget.so
Module version mismatch /home/edu/.config/radare2/plugins/io_frida.so (2.2.0-git) vs (2.3.0)
-- Hold on, this should never happen!
[0x0000cb00]> #!pipe python2 /home/edu/r2scripts/functoyara.py -n rule -a edu
p: Cannot find function at 0x0000cb00
Traceback (most recent call last):
File "/home/edu/r2scripts/functoyara.py", line 235, in <module>
rule.create(args.name,args.author)
File "/home/edu/r2scripts/functoyara.py", line 64, in create
rule = self.create_rule(name,author)
File "/home/edu/r2scripts/functoyara.py", line 88, in create_rule
rule += ' ' + self.format_rule_opcodes(self.get_func_yara_opcodes()) + '\r\n\r\n'
File "/home/edu/r2scripts/functoyara.py", line 177, in get_func_yara_opcodes
return sigj[0]['bytes'].replace('.','?')
IndexError: list index out of range
Perhaps, you can count the number of functions with aflc
. If this is bigger than 0, then it was analyzed.
After analyzed, the script aborts radare2 session:
[0x0000cb00]> aaa
[ WARNING : block size exceeding max block size at 0x00042df0
[+] Try changing it with e anal.bb.maxsize
WARNING : block size exceeding max block size at 0x0001be48
[+] Try changing it with e anal.bb.maxsize
WARNING : block size exceeding max block size at 0x00033044
[+] Try changing it with e anal.bb.maxsize
[x] Analyze all flags starting with sym. and entry0 (aa)
[ ]
[Value from 0x00000000 to 0x0004b2bc
aav: 0x00000000-0x0004b2bc in 0x0-0x4b2bc
aav: 0x00000000-0x0004b2bc in 0x4d120-0x64b3c
Value from 0x0004d120 to 0x00064b3c
aav: 0x0004d120-0x00064b3c in 0x0-0x4b2bc
aav: 0x0004d120-0x00064b3c in 0x4d120-0x64b3c
[x] Analyze len bytes of instructions for references (aar)
[ WARNING : block size exceeding max block size at 0x0000fca0
[+] Try changing it with e anal.bb.maxsize
WARNING : block size exceeding max block size at 0x00011288
[+] Try changing it with e anal.bb.maxsize
WARNING : block size exceeding max block size at 0x00013330
[+] Try changing it with e anal.bb.maxsize
WARNING : block size exceeding max block size at 0x0003c8f8
[+] Try changing it with e anal.bb.maxsize
[x] Analyze function calls (aac)
[x] Use -AA or aaaa to perform additional experimental analysis.
[x] Constructing a function name for fcn.* and sym.func.* functions (aan)
[0x0000cb00]> #!pipe python2 /home/edu/r2scripts/functoyara.py -n rule -a edu
Cannot open ttyname(0) (null)
sh: error while loading shared libraries: libc.so.6: cannot open shared object file: Error 24
[0x0000cb00]> [22:10 edu@localhost armeabi-v7a] >
[0x00049cbc]> #!pipe python2 /home/edu/r2scripts/functoyara.py -n rule -a edu
Traceback (most recent call last):
File "/home/edu/r2scripts/functoyara.py", line 235, in <module>
rule.create(args.name,args.author)
File "/home/edu/r2scripts/functoyara.py", line 64, in create
rule = self.create_rule(name,author)
File "/home/edu/r2scripts/functoyara.py", line 85, in create_rule
rule += ' ' + self.format_comment_instructions()
File "/home/edu/r2scripts/functoyara.py", line 153, in format_comment_instructions
comment_instructions += '// ' + op['bytes']
KeyError: 'bytes'
[0x00049cbc]> pd 5
/ (fcn) sym.Java_works_se_appsolid_CommonUtil_Emulator 184
| sym.Java_works_se_appsolid_CommonUtil_Emulator ();
| ; var int local_6ch @ sp+0x6c
| ; var int local_70h @ sp+0x70
..... // SKIPPED
| 0x00049cbc ~ f0b5 push {r4, r5, r6, r7, lr}
| ;-- aav.0x00049cbd:
| ; UNKNOWN XREF from 0x00000ab8 (aav.0x00000ab8 + 0)
| 0x00049cbd b5 unaligned
| 0x00049cbe ffb0 sub sp, aav.0x000001fc
| 0x00049cc0 ffb0 sub sp, aav.0x000001fc
| 0x00049cc2 efb0 sub sp, aav.0x000001bc
[0x00049cbc]> ~
Sample:
sample.so.zip
Random things to add/fix:
Right now, functoyara.py has to work for a given function. It would be good to split this into function mode and raw mode. Function mode would remain as-is, but raw mode would involve passing a start address parameter and a size parameter and generating a signature based on that request. This would allow an analyst to target interesting parts of a larger function or buffers/strings in various data sections.
This idea originated from #3 .
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.