def analysis_step_1(): global ANGR_PROJECT global AVATAR_GDB AVATAR_GDB = AvatarGDBConcreteTarget(avatar2.archs.x86.X86, VM_IP, GDB_SERVER_PORT) ANGR_PROJECT = angr.Project("./"+MALWARE_BIN, concrete_target=AVATAR_GDB, use_sim_procedures=True, page_size=0x1000) entry_state = ANGR_PROJECT.factory.entry_state() # we have to patch the number of seconds the thread are waiting for being wake up! PATCH_1 = (claripy.BVV(0x004049bc,8*4), claripy.BVV(0x68ffffffff,8*5)) new_concrete_state = execute_concretly(ANGR_PROJECT, entry_state, CALL_TO_MAIN_MALWARE_FUNCITON, [PATCH_1], []) # Check if we have the correct address at memory, if not restart the program and do it again! # ( issue command via ssh ) if new_concrete_state.mem[REAL_ADDRESS_PTR].dword.concrete != EXPECTED_ADDRESS: teardown() sendCommandToVM(RESTART_MALWARE) time.sleep(2) print("Malware doesn't synchronized correctly as expected, restarting it now.") return None else: print("Malware synchronization happen as expected, proceeding.") return new_concrete_state
def test_concrete_engine_linux_x86_unicorn_no_simprocedures(): global avatar_gdb # pylint: disable=no-member avatar_gdb = AvatarGDBConcreteTarget(avatar2.archs.x86.X86, GDB_SERVER_IP, GDB_SERVER_PORT) p = angr.Project(binary_x86, concrete_target=avatar_gdb, use_sim_procedures=False, page_size=0x1000) entry_state = p.factory.entry_state(add_options=angr.options.unicorn) solv_concrete_engine_linux_x86(p, entry_state)
def create_concrete_connection(argvs): avatar_gdb = AvatarGDBConcreteTarget(avatar2.archs.x86.X86, GDB_SERVER_IP, GDB_SERVER_PORT) p = angr.Project(binary_x86, concrete_target=avatar_gdb, use_sim_procedures=True, page_size=0x1000) entry_state = p.factory.entry_state() entry_state.options.add(angr.options.SYMBION_SYNC_CLE) entry_state.options.add(angr.options.SYMBION_KEEP_STUBS_ON_SYNC) return p, entry_state, avatar_gdb
def test_concrete_engine_linux_x64_no_simprocedures(): #print("test_concrete_engine_linux_x64_no_simprocedures") global avatar_gdb # pylint: disable=no-member avatar_gdb = AvatarGDBConcreteTarget(avatar2.archs.x86.X86_64, GDB_SERVER_IP, GDB_SERVER_PORT) p = angr.Project(binary_x64, concrete_target=avatar_gdb, use_sim_procedures=False, page_size=0x1000) entry_state = p.factory.entry_state() solv_concrete_engine_linux_x64(p, entry_state)
def test_concrete_engine_linux_x86_simprocedures(): global avatar_gdb # pylint: disable=no-member avatar_gdb = AvatarGDBConcreteTarget(avatar2.archs.x86.X86, GDB_SERVER_IP, GDB_SERVER_PORT) p = angr.Project(binary_x86, concrete_target=avatar_gdb, use_sim_procedures=True) entry_state = p.factory.entry_state() solv_concrete_engine_linux_x86(p, entry_state)
def test_concrete_engine_linux_arm_no_unicorn_simprocedures(): #print("test_concrete_engine_linux_x86_unicorn_simprocedures") global avatar_gdb # pylint: disable=no-member avatar_gdb = AvatarGDBConcreteTarget(avatar2.archs.ARM, GDB_SERVER_IP, GDB_SERVER_PORT) p = angr.Project(binary_arm, concrete_target=avatar_gdb, use_sim_procedures=True) entry_state = p.factory.entry_state() solv_concrete_engine_linux_arm(p, entry_state)
def test_concrete_engine_linux_x86_simprocedures(): global avatar_gdb # pylint: disable=no-member avatar_gdb = AvatarGDBConcreteTarget(avatar2.archs.x86.X86, GDB_SERVER_IP, GDB_SERVER_PORT) p = angr.Project(binary_x86, concrete_target=avatar_gdb, use_sim_procedures=True, page_size=0x1000) entry_state = p.factory.entry_state() entry_state.options.add(angr.options.SYMBION_SYNC_CLE) entry_state.options.add(angr.options.SYMBION_KEEP_STUBS_ON_SYNC) solve_concrete_engine_linux_x86(p, entry_state)
def test_concrete_engine_windows_x64_unicorn_simprocedures(): #print("test_concrete_engine_windows_x64_unicorn_simprocedures") global avatar_gdb try: # pylint: disable=no-member avatar_gdb = AvatarGDBConcreteTarget(avatar2.archs.x86.X86_64, GDB_SERVER_IP, GDB_SERVER_PORT) p = angr.Project(binary_x64, concrete_target=avatar_gdb, use_sim_procedures=True, page_size=0x1000) entry_state = p.factory.entry_state(add_options=angr.options.unicorn) solv_concrete_engine_windows_x64(p, entry_state) except ValueError: #print("Failing executing test") pass
def test_concrete_engine_linux_x64_unicorn_no_simprocedures(): #print("test_concrete_engine_linux_x64_unicorn_no_simprocedures") global avatar_gdb # pylint: disable=no-member avatar_gdb = AvatarGDBConcreteTarget(avatar2.archs.x86.X86_64, GDB_SERVER_IP, GDB_SERVER_PORT) p = angr.Project(binary_x64, concrete_target=avatar_gdb, use_sim_procedures=False, page_size=0x1000) entry_state = p.factory.entry_state(add_options=angr.options.unicorn) entry_state.options.add(angr.options.SYMBION_SYNC_CLE) entry_state.options.add(angr.options.SYMBION_KEEP_STUBS_ON_SYNC) solv_concrete_engine_linux_x64(p, entry_state)
def test_concrete_engine_windows_x86_no_simprocedures(): global avatar_gdb try: # pylint: disable=no-member avatar_gdb = AvatarGDBConcreteTarget(avatar2.archs.x86.X86, GDB_SERVER_IP, GDB_SERVER_PORT) p = angr.Project(binary_x86, concrete_target=avatar_gdb, use_sim_procedures=False, page_size=0x1000) entry_state = p.factory.entry_state() solv_concrete_engine_windows_x86(p, entry_state) except ValueError: #print("Failing executing test") pass
def test_concrete_engine_windows_x86_unicorn_no_simprocedures(): global avatar_gdb #print("test_concrete_engine_windows_x86_unicorn_no_simprocedures") try: # pylint: disable=no-member avatar_gdb = AvatarGDBConcreteTarget(avatar2.archs.x86.X86, GDB_SERVER_IP, GDB_SERVER_PORT) p = angr.Project(binary_x86, concrete_target=avatar_gdb, use_sim_procedures=False, page_size=0x1000) entry_state = p.factory.entry_state(add_options=angr.options.unicorn) entry_state.options.add(angr.options.SYMBION_SYNC_CLE) entry_state.options.add(angr.options.SYMBION_KEEP_STUBS_ON_SYNC) solv_concrete_engine_windows_x86(p, entry_state) except ValueError: #print("Failing executing test") pass
SSH_USER = sys.argv[3] SSH_PASSWORD = sys.argv[4] except Exception: print( "Usage: python bashlite_analyze.py <VM_IP> <GDB_SERVER_PORT> <SSH_USER> <SSH_PASSWORD>" ) sys.exit(1) # Connect via SSH to the concrete environment. connectToVM() # Star the malware under gdbserver. sendCommandToVM(RESTART_MALWARE) # Let's instantiate the target and the angr project. AVATAR_GDB = AvatarGDBConcreteTarget(avatar2.archs.x86.X86_64, VM_IP, GDB_SERVER_PORT) ANGR_PROJECT = angr.Project("./" + MALWARE_BIN, concrete_target=AVATAR_GDB, use_sim_procedures=True, page_size=0x1000) entry_state = ANGR_PROJECT.factory.entry_state( add_options=angr.options.unicorn) # Enable following childs ( the malware spawns a children and we must follow it to reach the dispatcher ) entry_state.project.concrete_target.target.protocols.execution.console_command( "set follow-fork-mode child", "done") # Let's sync right after the echoconnection. new_concrete_state = execute_concretly(ANGR_PROJECT, entry_state, AFTER_ECHOCONNECTION, [], [])