Malware analysis toolbox
Homemade stuff that help me (or try to) analyse malwares.
exe_stats.py
Dependencies
- r2pipe
- texttable
Example
Output functions in ascending size order
python3 exe_stats.py test.exe -o sizeOutput examples:
+---------------------------+--------------------+----------------------+------+
| Function name | Number refs to fct | Number refs from fct | Size |
+===========================+====================+======================+======+
| fcn.0040100b | 1 | 1 | 1 |
+---------------------------+--------------------+----------------------+------+
| fcn.005b4a92 | 1 | 1 | 3 |
+---------------------------+--------------------+----------------------+------+
| fcn.005b100a | 1 | 1 | 4 |
+---------------------------+--------------------+----------------------+------+
| entry0 | 190 | 1 | 11 |
+---------------------------+--------------------+----------------------+------+
| fcn.005b76be | 1 | 1 | 21 |
+---------------------------+--------------------+----------------------+------+
| fcn.005bb4ae | 1 | 1 | 26 |
+---------------------------+--------------------+----------------------+------+
| fcn.005b46de | 1 | 1 | 38 |
+---------------------------+--------------------+----------------------+------+
| fcn.005c872a | 1 | 1 | 46 |
+---------------------------+--------------------+----------------------+------+
| fcn.005c7ef2 | 1 | 1 | 244 |
+---------------------------+--------------------+----------------------+------+
| sym.imp.kernel32.dll_GetP | 0 | 1 | 381 |
| rocAddress | | | |
+---------------------------+--------------------+----------------------+------+
| fcn.005b1014 | 2 | 6 | 585 |
+---------------------------+--------------------+----------------------+------+
| fcn.005b26e6 | 1 | 1 | 966 |
+---------------------------+--------------------+----------------------+------+
| fcn.00473367 | 2 | 1 | 1010 |
+---------------------------+--------------------+----------------------+------+
| fcn.005c0122 | 1 | 1 | 1020 |
+---------------------------+--------------------+----------------------+------+
| sym.imp.user32.dll_GetKey | 0 | 1 | 1286 |
| boardType | | | |
+---------------------------+--------------------+----------------------+------+
At the moment, it just supports size ordering, call references from the functions and xrefs to the functions.
call_graph_to_x32_db.py
Dependencies
- r2pipe
- awk
- grep
Example
python3 call_graph_to_x32_db.py -f 0x00425234 -o test.dd32 text.exeunpacker.py
Dependencies
- qiling
lazarus_mata_sig_fn.py
Dependencies
- qiling
- r2pipe
stackstrings.py
Dependencies
- Ghidra
stackstrings.java
Dependencies
- Ghidra
TODO
- Refactoring
- Remove awk and grep from the dependencies (issue with split(' ') with the output from grep -v (due to colorized outputs from radare2))
- See why some breakpoints need to have an absolute address and the other a relative address (x32/64dbg investigation)