cmatthewbrooks / r2kit Goto Github PK
View Code? Open in Web Editor NEWA set of scripts for a radare-based malware code analysis workflow
r2kit's People
Contributors
Stargazers
Watchers
Forkers
m00zh33 securycore techlord-rce hybridious miguelraulb luciany siowcy rkaaine thestr4ng3r 5l1v3r1r2kit's Issues
Feature - Win32 API Call-Chain Functionality
- - Implement class to get all possible paths a function can take
- - Get Win32 API call chains (and include other types of calls)
- - Find most common "gadgets"
- - Find relationship between size, instr cnt, and gadget
- - Manually determine auto-rename metric/criteria
Fix sessionstarter.py import renaming after r2 update
After updating r2 on 24 Feb (I don't know how long it had been since my previous update or what version I was using), I noticed my implementation to rename imports stopped renaming as expected.
It seems r2 changed the JSON object returned by "pdfj" so that now ops['disasm'] needs to be parsed instead of ops['opcode'].
This should be an easy fix next time I jump into bug fixes.
r2.cmd -> r2.cmdj
Line 55 in e301720
All the json commands should use r2.cmdj and not r2.cmd, r2.cmdj returns proper python dictionnary without need of manual parsing which is prone to error and ineficient.
Some feedback
If the binary wasn't previously analyzed, an exception is thrown:
[0x0001691c]> [22:08 edu@localhost armeabi-v7a] > r2 libtarget.so
Module version mismatch /home/edu/.config/radare2/plugins/io_frida.so (2.2.0-git) vs (2.3.0)
-- Hold on, this should never happen!
[0x0000cb00]> #!pipe python2 /home/edu/r2scripts/functoyara.py -n rule -a edu
p: Cannot find function at 0x0000cb00
Traceback (most recent call last):
File "/home/edu/r2scripts/functoyara.py", line 235, in <module>
rule.create(args.name,args.author)
File "/home/edu/r2scripts/functoyara.py", line 64, in create
rule = self.create_rule(name,author)
File "/home/edu/r2scripts/functoyara.py", line 88, in create_rule
rule += ' ' + self.format_rule_opcodes(self.get_func_yara_opcodes()) + '\r\n\r\n'
File "/home/edu/r2scripts/functoyara.py", line 177, in get_func_yara_opcodes
return sigj[0]['bytes'].replace('.','?')
IndexError: list index out of range
Perhaps, you can count the number of functions with aflc. If this is bigger than 0, then it was analyzed.
After analyzed, the script aborts radare2 session:
[0x0000cb00]> aaa
[ WARNING : block size exceeding max block size at 0x00042df0
[+] Try changing it with e anal.bb.maxsize
WARNING : block size exceeding max block size at 0x0001be48
[+] Try changing it with e anal.bb.maxsize
WARNING : block size exceeding max block size at 0x00033044
[+] Try changing it with e anal.bb.maxsize
[x] Analyze all flags starting with sym. and entry0 (aa)
[ ]
[Value from 0x00000000 to 0x0004b2bc
aav: 0x00000000-0x0004b2bc in 0x0-0x4b2bc
aav: 0x00000000-0x0004b2bc in 0x4d120-0x64b3c
Value from 0x0004d120 to 0x00064b3c
aav: 0x0004d120-0x00064b3c in 0x0-0x4b2bc
aav: 0x0004d120-0x00064b3c in 0x4d120-0x64b3c
[x] Analyze len bytes of instructions for references (aar)
[ WARNING : block size exceeding max block size at 0x0000fca0
[+] Try changing it with e anal.bb.maxsize
WARNING : block size exceeding max block size at 0x00011288
[+] Try changing it with e anal.bb.maxsize
WARNING : block size exceeding max block size at 0x00013330
[+] Try changing it with e anal.bb.maxsize
WARNING : block size exceeding max block size at 0x0003c8f8
[+] Try changing it with e anal.bb.maxsize
[x] Analyze function calls (aac)
[x] Use -AA or aaaa to perform additional experimental analysis.
[x] Constructing a function name for fcn.* and sym.func.* functions (aan)
[0x0000cb00]> #!pipe python2 /home/edu/r2scripts/functoyara.py -n rule -a edu
Cannot open ttyname(0) (null)
sh: error while loading shared libraries: libc.so.6: cannot open shared object file: Error 24
[0x0000cb00]> [22:10 edu@localhost armeabi-v7a] >
Crash on ARM code (obfuscated sample)
[0x00049cbc]> #!pipe python2 /home/edu/r2scripts/functoyara.py -n rule -a edu
Traceback (most recent call last):
File "/home/edu/r2scripts/functoyara.py", line 235, in <module>
rule.create(args.name,args.author)
File "/home/edu/r2scripts/functoyara.py", line 64, in create
rule = self.create_rule(name,author)
File "/home/edu/r2scripts/functoyara.py", line 85, in create_rule
rule += ' ' + self.format_comment_instructions()
File "/home/edu/r2scripts/functoyara.py", line 153, in format_comment_instructions
comment_instructions += '// ' + op['bytes']
KeyError: 'bytes'
[0x00049cbc]> pd 5
/ (fcn) sym.Java_works_se_appsolid_CommonUtil_Emulator 184
| sym.Java_works_se_appsolid_CommonUtil_Emulator ();
| ; var int local_6ch @ sp+0x6c
| ; var int local_70h @ sp+0x70
..... // SKIPPED
| 0x00049cbc ~ f0b5 push {r4, r5, r6, r7, lr}
| ;-- aav.0x00049cbd:
| ; UNKNOWN XREF from 0x00000ab8 (aav.0x00000ab8 + 0)
| 0x00049cbd b5 unaligned
| 0x00049cbe ffb0 sub sp, aav.0x000001fc
| 0x00049cc0 ffb0 sub sp, aav.0x000001fc
| 0x00049cc2 efb0 sub sp, aav.0x000001bc
[0x00049cbc]> ~Sample:
sample.so.zip
Random small fixes
Random things to add/fix:
- Add usage statements to scripts
Any plans for python3 support?
IndexError: list index out of range
functoyara.py enhancements
- Implement raw mode to take offset and size and just sig that (for smaller parts of larger functions)
- Implement a batch mode to generate for all non-lib (non-named) functions
Feature - "raw" mode for functoyara.py
Right now, functoyara.py has to work for a given function. It would be good to split this into function mode and raw mode. Function mode would remain as-is, but raw mode would involve passing a start address parameter and a size parameter and generating a signature based on that request. This would allow an analyst to target interesting parts of a larger function or buffers/strings in various data sections.
This idea originated from #3 .
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.