def print_hunks(hunks):
for i, hunk in enumerate(hunks):
block = hunk[0]
if block[0] == 'NAME':
print("%d: '%s' -> '%s'" % (i, block[0], block[1]))
elif block[0] == 'BSS':
print("%d: '%s' -> %d" % (i, block[0], block[1]))
elif block[0] == 'CODE':
print("%d: '%s', size = %d" % (i, block[0], len(block[1])))
code = block[1]
disassemble(code)
else:
print("%d: '%s'" % (i, block[0]))
def print_hunks(hunks):
for i, hunk in enumerate(hunks):
block = hunk[0]
if block[0] == 'NAME':
print("%d: '%s' -> '%s'" % (i, block[0], block[1]))
elif block[0] == 'BSS':
print("%d: '%s' -> %d" % (i, block[0], block[1]))
elif block[0] == 'CODE':
print("%d: '%s', size = %d" % (i, block[0], len(block[1])))
code = block[1]
disassemble(code)
else:
print("%d: '%s'" % (i, block[0]))
def disassemble_and_predict(file_name,
opcodesDict,
family=FAMILY,
binary=False):
'''
This function will disassemble the file provided and predict if it is malware.
If it is, it will also predict what malware family it belongs to.
'''
classificationAlgorithm = loadPklFile('classificationAlgorithm.pkl')
detectionAlgorithm = loadPklFile('detectionAlgorithm.pkl')
length, skip_distance, powerOf2 = loadPklFile('algorithmConfig.pkl')
opcodes = disassemble(file_name, binary)
opcodes, opcodesDict = opcodesToInt(opcodes, opcodesDict)
predictionMatrix = getPredictionFeatures(opcodes, length, skip_distance,
powerOf2)
prediction = detectionAlgorithm.predict(predictionMatrix)
predictionList = detectionAlgorithm.predict(predictionMatrix)
classification = classificationAlgorithm.predict(predictionMatrix)
classificationList = classificationAlgorithm.predict_proba(
predictionMatrix)
if max(classificationList[0]) > 0.5 or prediction == 1:
print(file_name, ': ', family[classification[0] - 1])
print(file_name, ': ', classificationList)
print()
else:
print(file_name, ': ', family[prediction[0]])
print()
def pretty_dis(obj, address=0):
''' returns a disassembly w/ labels '''
insns = []
labels = {}
# collect labels and other fun stuff
for ofs,mnem,arg,op in disassemble(obj):
opnum,oparg = op
if opnum in opcode.hasjrel:
labels[arg] = ofs
elif opnum in opcode.hasjabs:
labels[oparg] = ofs
insns.append( (ofs, mnem, arg, (opnum,oparg)) )
insns = iter(insns)
# format results (might want to align this into some columns
## yes, i know the function name is really ironic. ;)
res = []
for i in insns:
ofs, mnem, arg, op = i
opnum,oparg = op
mnem = mnem.lower()
if ofs in labels.keys() and ofs > 0:
res.append('\nlabel_%x:'% (ofs+address))
elif ofs in labels.keys():
res.append('label_%x:'% (ofs+address))
if oparg == None:
res.append(' %s'% mnem.ljust(16) )
continue
comment = repr(arg)
if opnum in opcode.hasjrel and arg in labels.keys():
comment = ''
arg = 'label_%x'% arg
elif opnum in opcode.hasjabs and oparg in labels.keys():
comment = ''
arg = 'label_%x'% oparg
else:
arg = oparg
if comment:
comment = '# -> %s'% repr(comment)
# FIXME: hardcoded length is 32. (why would you need such huge names for a label anyways)
res.append(' %s %s %s'% (mnem.ljust(16), str(arg).ljust(32), comment))
if ofs not in labels.keys():
if opnum in opcode.hasjrel or mnem.startswith('store') or mnem.startswith('call'):
res.append('')
return '\n'.join(res)
def testFormatII(self):
for line, iop, desired_cylces in formatIItests:
insn = disassemble.disassemble([w for m,w in iop])
words, cycles = insn.usedwords, insn.cycles
#~ print
#~ print insn, words, cycles
#~ print line, desired_cylces
self.failUnless(str(insn).split() == line.split(), '%r failed, wrong output (%s)' % (line, insn))
self.failUnless(desired_cylces == cycles, '%r failed, wrong number of cycles' % line)
def do_disassemble(arch):
r.recvuntil('( in base64 encoded format ): \n')
code = r.recvline()
print(code)
code = disassemble(b64decode(code), arch)
print(code)
code = b64encode(code)
print(code)
r.sendline(code)
def updateText(self):
if bugger.connected:
blob = bugger.read(self.base, 0x60)
else:
blob = b"\x00" * 0x60
text = ""
for i in range(24):
address = self.base + i * 4
value = struct.unpack_from(">I", blob, i * 4)[0]
instr = disassemble.disassemble(value, address)
text += "%08X: %08X %s\n" % (address, value, instr)
self.setPlainText(text)
def disassemble(self):
infile = str(self.filename)
out = os.path.splitext(infile)
if out[1] != '.yo':
self.showtext('Unable to disassemble %s' % infile)
self.ui.console.setPlainText('Invalid file to discompile')
return
outfile = out[0] + '.ys'
infile = open(infile, 'r')
outfile = open(outfile, 'w')
disassemble.disassemble(infile, outfile)
outfile.close()
outfile = open(out[0] + '.ys', 'r')
error = disassemble.error
if error != '':
self.ui.console.setPlainText(error)
self.ui.codeout.setPlainText('')
else:
self.ui.console.setPlainText('disassemble success')
text = outfile.read()
self.ui.codeout.setPlainText(text)
return
def disassemble(self):
infile = str(self.filename)
out = os.path.splitext(infile)
if out[1] != '.yo':
self.showtext('Unable to disassemble %s' % infile)
self.ui.console.setPlainText('Invalid file to discompile')
return
outfile = out[0] + '.ys'
infile = open(infile, 'r')
outfile = open(outfile, 'w')
disassemble.disassemble(infile, outfile)
outfile.close()
outfile = open(out[0]+'.ys', 'r')
error = disassemble.error
if error != '':
self.ui.console.setPlainText(error)
self.ui.codeout.setPlainText('')
else:
self.ui.console.setPlainText('disassemble success')
text = outfile.read()
self.ui.codeout.setPlainText(text)
return
address = int(addressStr, 16)
bugger.write(address, binascii.unhexlify(splitCmd[2]))
elif cmd == "ppc":
addressStr = splitCmd[1]
if addressStr[0] == 'r':
address = exceptionState.gpr[int(addressStr[1:])]
else:
address = int(addressStr, 16)
length = 4
if len(splitCmd) > 2:
length = int(splitCmd[2], 16)
ppcBytes = bugger.read(address, length)
for i in range(int(len(ppcBytes) / 4)):
value = struct.unpack('>L',ppcBytes[i*4:i*4 + 4])[0]
addr = address + (i*4)
instr = disassemble.disassemble(value, addr)
print("%08X: %08X %s" %(addr, value, instr))
elif cmd == "stack" or cmd == "stacktrace" or cmd == "trace":
stackTrace = bugger.getStackTrace()
print('')
for address in stackTrace:
print("%X" % address)
elif cmd == "registers" or cmd == "regs":
if exceptionState.filled:
for i in range(4):
for j in range(8):
print("r%2i: %08X" % (i*8 + j, exceptionState.gpr[i*8 + j]), end=' ')
print('')
print('CR:%08X LR:%08X CTR:%08X XER:%08X EX0:%08X EX1:%08X SRR0:%08X SRR1:%08X' % (exceptionState.cr, exceptionState.lr, exceptionState.ctr, exceptionState.xer, exceptionState.ex0, exceptionState.ex1, exceptionState.srr0, exceptionState.srr1))
else:
print("No exception state")
def testMiscInsns(self):
insn = disassemble.disassemble([0x1300])
words, cycles = insn.usedwords, insn.cycles
self.failUnless(str(insn).strip() == 'reti')
self.failUnless(cycles == 5)
