Home

Awesome

Polichombr

Build Status Maintainability Test Coverage

This tool aim to provide a collaborative malware analysis framework. It was originally presented at SSTIC 2016,

Documentation

A more detailled documentation is placed in the docs folder

Analysis platform

Polichombr is designed to help analysts to reverse malwares, as a team. It provides an engine to automate the analysis tasks, and identify hotpoints in the binary, a script to collaborate during the reverse of binaries, and can be used to store and manage informations about malware families.

Example scripts

Scripts under the folder examples permits some basic actions for a Polichombr instance.

Generic sample informations

screenshot

Family/Threat overview

screenshot

Online disassembly

screenshot

Share IDA Pro informations from the WebUI / directly to other users

screenshot

Automated hotpoints detection

screenshot

Taking notes right from IDA

screenshot

Plugins / tasks

Tasks are loaded from the app/controllers/tasks directory, and must inherit from the Task object. In particular, several tasks are already implemented:

Signatures

We use several signature models to classify malware:

Machoc

Machoc is a CFG-based algorithm to classify malware. For more informations, please refer to the following [paper] (https://www.sstic.org/media/SSTIC2016/SSTIC-actes/demarche_d_analyse_collaborative_de_codes_malveill/SSTIC2016-Article-demarche_d_analyse_collaborative_de_codes_malveillants-chevalier_le-berre_pourcelot.pdf)

Skelenox

This is an IDAPython script, wich is used to synchronize the names and comments with the knowledge base, and with other users database

Installation

Please see the corresponding file in the docs directory

Contributing

Contributions are welcome, so please read CONTRIBUTING.md to have a quick start on how to get help or add features in Polichombr