def analysis_step_1():
global ANGR_PROJECT
global AVATAR_GDB
AVATAR_GDB = AvatarGDBConcreteTarget(avatar2.archs.x86.X86, VM_IP, GDB_SERVER_PORT)
ANGR_PROJECT = angr.Project("./"+MALWARE_BIN, concrete_target=AVATAR_GDB, use_sim_procedures=True,
page_size=0x1000)
entry_state = ANGR_PROJECT.factory.entry_state()
# we have to patch the number of seconds the thread are waiting for being wake up!
PATCH_1 = (claripy.BVV(0x004049bc,8*4), claripy.BVV(0x68ffffffff,8*5))
new_concrete_state = execute_concretly(ANGR_PROJECT, entry_state, CALL_TO_MAIN_MALWARE_FUNCITON, [PATCH_1], [])
# Check if we have the correct address at memory, if not restart the program and do it again!
# ( issue command via ssh )
if new_concrete_state.mem[REAL_ADDRESS_PTR].dword.concrete != EXPECTED_ADDRESS:
teardown()
sendCommandToVM(RESTART_MALWARE)
time.sleep(2)
print("Malware doesn't synchronized correctly as expected, restarting it now.")
return None
else:
print("Malware synchronization happen as expected, proceeding.")
return new_concrete_state
def test_concrete_engine_linux_x86_unicorn_no_simprocedures():
global avatar_gdb
# pylint: disable=no-member
avatar_gdb = AvatarGDBConcreteTarget(avatar2.archs.x86.X86, GDB_SERVER_IP, GDB_SERVER_PORT)
p = angr.Project(binary_x86, concrete_target=avatar_gdb, use_sim_procedures=False,
page_size=0x1000)
entry_state = p.factory.entry_state(add_options=angr.options.unicorn)
solv_concrete_engine_linux_x86(p, entry_state)
def create_concrete_connection(argvs):
avatar_gdb = AvatarGDBConcreteTarget(avatar2.archs.x86.X86, GDB_SERVER_IP, GDB_SERVER_PORT)
p = angr.Project(binary_x86, concrete_target=avatar_gdb, use_sim_procedures=True,
page_size=0x1000)
entry_state = p.factory.entry_state()
entry_state.options.add(angr.options.SYMBION_SYNC_CLE)
entry_state.options.add(angr.options.SYMBION_KEEP_STUBS_ON_SYNC)
return p, entry_state, avatar_gdb
def test_concrete_engine_linux_x64_no_simprocedures():
#print("test_concrete_engine_linux_x64_no_simprocedures")
global avatar_gdb
# pylint: disable=no-member
avatar_gdb = AvatarGDBConcreteTarget(avatar2.archs.x86.X86_64, GDB_SERVER_IP, GDB_SERVER_PORT)
p = angr.Project(binary_x64, concrete_target=avatar_gdb, use_sim_procedures=False,
page_size=0x1000)
entry_state = p.factory.entry_state()
solv_concrete_engine_linux_x64(p, entry_state)
def test_concrete_engine_linux_x86_simprocedures():
global avatar_gdb
# pylint: disable=no-member
avatar_gdb = AvatarGDBConcreteTarget(avatar2.archs.x86.X86, GDB_SERVER_IP,
GDB_SERVER_PORT)
p = angr.Project(binary_x86,
concrete_target=avatar_gdb,
use_sim_procedures=True)
entry_state = p.factory.entry_state()
solv_concrete_engine_linux_x86(p, entry_state)
def test_concrete_engine_linux_arm_no_unicorn_simprocedures():
#print("test_concrete_engine_linux_x86_unicorn_simprocedures")
global avatar_gdb
# pylint: disable=no-member
avatar_gdb = AvatarGDBConcreteTarget(avatar2.archs.ARM, GDB_SERVER_IP, GDB_SERVER_PORT)
p = angr.Project(binary_arm, concrete_target=avatar_gdb, use_sim_procedures=True)
entry_state = p.factory.entry_state()
solv_concrete_engine_linux_arm(p, entry_state)
def test_concrete_engine_linux_x86_simprocedures():
global avatar_gdb
# pylint: disable=no-member
avatar_gdb = AvatarGDBConcreteTarget(avatar2.archs.x86.X86, GDB_SERVER_IP, GDB_SERVER_PORT)
p = angr.Project(binary_x86, concrete_target=avatar_gdb, use_sim_procedures=True,
page_size=0x1000)
entry_state = p.factory.entry_state()
entry_state.options.add(angr.options.SYMBION_SYNC_CLE)
entry_state.options.add(angr.options.SYMBION_KEEP_STUBS_ON_SYNC)
solve_concrete_engine_linux_x86(p, entry_state)
def test_concrete_engine_windows_x64_unicorn_simprocedures():
#print("test_concrete_engine_windows_x64_unicorn_simprocedures")
global avatar_gdb
try:
# pylint: disable=no-member
avatar_gdb = AvatarGDBConcreteTarget(avatar2.archs.x86.X86_64, GDB_SERVER_IP, GDB_SERVER_PORT)
p = angr.Project(binary_x64, concrete_target=avatar_gdb, use_sim_procedures=True,
page_size=0x1000)
entry_state = p.factory.entry_state(add_options=angr.options.unicorn)
solv_concrete_engine_windows_x64(p, entry_state)
except ValueError:
#print("Failing executing test")
pass
def test_concrete_engine_linux_x64_unicorn_no_simprocedures():
#print("test_concrete_engine_linux_x64_unicorn_no_simprocedures")
global avatar_gdb
# pylint: disable=no-member
avatar_gdb = AvatarGDBConcreteTarget(avatar2.archs.x86.X86_64,
GDB_SERVER_IP, GDB_SERVER_PORT)
p = angr.Project(binary_x64,
concrete_target=avatar_gdb,
use_sim_procedures=False,
page_size=0x1000)
entry_state = p.factory.entry_state(add_options=angr.options.unicorn)
entry_state.options.add(angr.options.SYMBION_SYNC_CLE)
entry_state.options.add(angr.options.SYMBION_KEEP_STUBS_ON_SYNC)
solv_concrete_engine_linux_x64(p, entry_state)
def test_concrete_engine_windows_x86_no_simprocedures():
global avatar_gdb
try:
# pylint: disable=no-member
avatar_gdb = AvatarGDBConcreteTarget(avatar2.archs.x86.X86,
GDB_SERVER_IP, GDB_SERVER_PORT)
p = angr.Project(binary_x86,
concrete_target=avatar_gdb,
use_sim_procedures=False,
page_size=0x1000)
entry_state = p.factory.entry_state()
solv_concrete_engine_windows_x86(p, entry_state)
except ValueError:
#print("Failing executing test")
pass
def test_concrete_engine_windows_x86_unicorn_no_simprocedures():
global avatar_gdb
#print("test_concrete_engine_windows_x86_unicorn_no_simprocedures")
try:
# pylint: disable=no-member
avatar_gdb = AvatarGDBConcreteTarget(avatar2.archs.x86.X86,
GDB_SERVER_IP, GDB_SERVER_PORT)
p = angr.Project(binary_x86,
concrete_target=avatar_gdb,
use_sim_procedures=False,
page_size=0x1000)
entry_state = p.factory.entry_state(add_options=angr.options.unicorn)
entry_state.options.add(angr.options.SYMBION_SYNC_CLE)
entry_state.options.add(angr.options.SYMBION_KEEP_STUBS_ON_SYNC)
solv_concrete_engine_windows_x86(p, entry_state)
except ValueError:
#print("Failing executing test")
pass
SSH_USER = sys.argv[3]
SSH_PASSWORD = sys.argv[4]
except Exception:
print(
"Usage: python bashlite_analyze.py <VM_IP> <GDB_SERVER_PORT> <SSH_USER> <SSH_PASSWORD>"
)
sys.exit(1)
# Connect via SSH to the concrete environment.
connectToVM()
# Star the malware under gdbserver.
sendCommandToVM(RESTART_MALWARE)
# Let's instantiate the target and the angr project.
AVATAR_GDB = AvatarGDBConcreteTarget(avatar2.archs.x86.X86_64, VM_IP,
GDB_SERVER_PORT)
ANGR_PROJECT = angr.Project("./" + MALWARE_BIN,
concrete_target=AVATAR_GDB,
use_sim_procedures=True,
page_size=0x1000)
entry_state = ANGR_PROJECT.factory.entry_state(
add_options=angr.options.unicorn)
# Enable following childs ( the malware spawns a children and we must follow it to reach the dispatcher )
entry_state.project.concrete_target.target.protocols.execution.console_command(
"set follow-fork-mode child", "done")
# Let's sync right after the echoconnection.
new_concrete_state = execute_concretly(ANGR_PROJECT, entry_state,
AFTER_ECHOCONNECTION, [], [])