def print_hunks(hunks): for i, hunk in enumerate(hunks): block = hunk[0] if block[0] == 'NAME': print("%d: '%s' -> '%s'" % (i, block[0], block[1])) elif block[0] == 'BSS': print("%d: '%s' -> %d" % (i, block[0], block[1])) elif block[0] == 'CODE': print("%d: '%s', size = %d" % (i, block[0], len(block[1]))) code = block[1] disassemble(code) else: print("%d: '%s'" % (i, block[0]))
def disassemble_and_predict(file_name, opcodesDict, family=FAMILY, binary=False): ''' This function will disassemble the file provided and predict if it is malware. If it is, it will also predict what malware family it belongs to. ''' classificationAlgorithm = loadPklFile('classificationAlgorithm.pkl') detectionAlgorithm = loadPklFile('detectionAlgorithm.pkl') length, skip_distance, powerOf2 = loadPklFile('algorithmConfig.pkl') opcodes = disassemble(file_name, binary) opcodes, opcodesDict = opcodesToInt(opcodes, opcodesDict) predictionMatrix = getPredictionFeatures(opcodes, length, skip_distance, powerOf2) prediction = detectionAlgorithm.predict(predictionMatrix) predictionList = detectionAlgorithm.predict(predictionMatrix) classification = classificationAlgorithm.predict(predictionMatrix) classificationList = classificationAlgorithm.predict_proba( predictionMatrix) if max(classificationList[0]) > 0.5 or prediction == 1: print(file_name, ': ', family[classification[0] - 1]) print(file_name, ': ', classificationList) print() else: print(file_name, ': ', family[prediction[0]]) print()
def pretty_dis(obj, address=0): ''' returns a disassembly w/ labels ''' insns = [] labels = {} # collect labels and other fun stuff for ofs,mnem,arg,op in disassemble(obj): opnum,oparg = op if opnum in opcode.hasjrel: labels[arg] = ofs elif opnum in opcode.hasjabs: labels[oparg] = ofs insns.append( (ofs, mnem, arg, (opnum,oparg)) ) insns = iter(insns) # format results (might want to align this into some columns ## yes, i know the function name is really ironic. ;) res = [] for i in insns: ofs, mnem, arg, op = i opnum,oparg = op mnem = mnem.lower() if ofs in labels.keys() and ofs > 0: res.append('\nlabel_%x:'% (ofs+address)) elif ofs in labels.keys(): res.append('label_%x:'% (ofs+address)) if oparg == None: res.append(' %s'% mnem.ljust(16) ) continue comment = repr(arg) if opnum in opcode.hasjrel and arg in labels.keys(): comment = '' arg = 'label_%x'% arg elif opnum in opcode.hasjabs and oparg in labels.keys(): comment = '' arg = 'label_%x'% oparg else: arg = oparg if comment: comment = '# -> %s'% repr(comment) # FIXME: hardcoded length is 32. (why would you need such huge names for a label anyways) res.append(' %s %s %s'% (mnem.ljust(16), str(arg).ljust(32), comment)) if ofs not in labels.keys(): if opnum in opcode.hasjrel or mnem.startswith('store') or mnem.startswith('call'): res.append('') return '\n'.join(res)
def testFormatII(self): for line, iop, desired_cylces in formatIItests: insn = disassemble.disassemble([w for m,w in iop]) words, cycles = insn.usedwords, insn.cycles #~ print #~ print insn, words, cycles #~ print line, desired_cylces self.failUnless(str(insn).split() == line.split(), '%r failed, wrong output (%s)' % (line, insn)) self.failUnless(desired_cylces == cycles, '%r failed, wrong number of cycles' % line)
def do_disassemble(arch): r.recvuntil('( in base64 encoded format ): \n') code = r.recvline() print(code) code = disassemble(b64decode(code), arch) print(code) code = b64encode(code) print(code) r.sendline(code)
def updateText(self): if bugger.connected: blob = bugger.read(self.base, 0x60) else: blob = b"\x00" * 0x60 text = "" for i in range(24): address = self.base + i * 4 value = struct.unpack_from(">I", blob, i * 4)[0] instr = disassemble.disassemble(value, address) text += "%08X: %08X %s\n" % (address, value, instr) self.setPlainText(text)
def disassemble(self): infile = str(self.filename) out = os.path.splitext(infile) if out[1] != '.yo': self.showtext('Unable to disassemble %s' % infile) self.ui.console.setPlainText('Invalid file to discompile') return outfile = out[0] + '.ys' infile = open(infile, 'r') outfile = open(outfile, 'w') disassemble.disassemble(infile, outfile) outfile.close() outfile = open(out[0] + '.ys', 'r') error = disassemble.error if error != '': self.ui.console.setPlainText(error) self.ui.codeout.setPlainText('') else: self.ui.console.setPlainText('disassemble success') text = outfile.read() self.ui.codeout.setPlainText(text) return
def disassemble(self): infile = str(self.filename) out = os.path.splitext(infile) if out[1] != '.yo': self.showtext('Unable to disassemble %s' % infile) self.ui.console.setPlainText('Invalid file to discompile') return outfile = out[0] + '.ys' infile = open(infile, 'r') outfile = open(outfile, 'w') disassemble.disassemble(infile, outfile) outfile.close() outfile = open(out[0]+'.ys', 'r') error = disassemble.error if error != '': self.ui.console.setPlainText(error) self.ui.codeout.setPlainText('') else: self.ui.console.setPlainText('disassemble success') text = outfile.read() self.ui.codeout.setPlainText(text) return
address = int(addressStr, 16) bugger.write(address, binascii.unhexlify(splitCmd[2])) elif cmd == "ppc": addressStr = splitCmd[1] if addressStr[0] == 'r': address = exceptionState.gpr[int(addressStr[1:])] else: address = int(addressStr, 16) length = 4 if len(splitCmd) > 2: length = int(splitCmd[2], 16) ppcBytes = bugger.read(address, length) for i in range(int(len(ppcBytes) / 4)): value = struct.unpack('>L',ppcBytes[i*4:i*4 + 4])[0] addr = address + (i*4) instr = disassemble.disassemble(value, addr) print("%08X: %08X %s" %(addr, value, instr)) elif cmd == "stack" or cmd == "stacktrace" or cmd == "trace": stackTrace = bugger.getStackTrace() print('') for address in stackTrace: print("%X" % address) elif cmd == "registers" or cmd == "regs": if exceptionState.filled: for i in range(4): for j in range(8): print("r%2i: %08X" % (i*8 + j, exceptionState.gpr[i*8 + j]), end=' ') print('') print('CR:%08X LR:%08X CTR:%08X XER:%08X EX0:%08X EX1:%08X SRR0:%08X SRR1:%08X' % (exceptionState.cr, exceptionState.lr, exceptionState.ctr, exceptionState.xer, exceptionState.ex0, exceptionState.ex1, exceptionState.srr0, exceptionState.srr1)) else: print("No exception state")
def testMiscInsns(self): insn = disassemble.disassemble([0x1300]) words, cycles = insn.usedwords, insn.cycles self.failUnless(str(insn).strip() == 'reti') self.failUnless(cycles == 5)