Awesome

Malware analysis toolbox

Homemade stuff that help me (or try to) analyse malwares.

exe_stats.py

Dependencies

r2pipe
texttable

Example

Output functions in ascending size order

python3 exe_stats.py test.exe -o size

Output examples:

+---------------------------+--------------------+----------------------+------+
|       Function name       | Number refs to fct | Number refs from fct | Size |
+===========================+====================+======================+======+
| fcn.0040100b              | 1                  | 1                    | 1    |
+---------------------------+--------------------+----------------------+------+
| fcn.005b4a92              | 1                  | 1                    | 3    |
+---------------------------+--------------------+----------------------+------+
| fcn.005b100a              | 1                  | 1                    | 4    |
+---------------------------+--------------------+----------------------+------+
| entry0                    | 190                | 1                    | 11   |
+---------------------------+--------------------+----------------------+------+
| fcn.005b76be              | 1                  | 1                    | 21   |
+---------------------------+--------------------+----------------------+------+
| fcn.005bb4ae              | 1                  | 1                    | 26   |
+---------------------------+--------------------+----------------------+------+
| fcn.005b46de              | 1                  | 1                    | 38   |
+---------------------------+--------------------+----------------------+------+
| fcn.005c872a              | 1                  | 1                    | 46   |
+---------------------------+--------------------+----------------------+------+
| fcn.005c7ef2              | 1                  | 1                    | 244  |
+---------------------------+--------------------+----------------------+------+
| sym.imp.kernel32.dll_GetP | 0                  | 1                    | 381  |
| rocAddress                |                    |                      |      |
+---------------------------+--------------------+----------------------+------+
| fcn.005b1014              | 2                  | 6                    | 585  |
+---------------------------+--------------------+----------------------+------+
| fcn.005b26e6              | 1                  | 1                    | 966  |
+---------------------------+--------------------+----------------------+------+
| fcn.00473367              | 2                  | 1                    | 1010 |
+---------------------------+--------------------+----------------------+------+
| fcn.005c0122              | 1                  | 1                    | 1020 |
+---------------------------+--------------------+----------------------+------+
| sym.imp.user32.dll_GetKey | 0                  | 1                    | 1286 |
| boardType                 |                    |                      |      |
+---------------------------+--------------------+----------------------+------+

At the moment, it just supports size ordering, call references from the functions and xrefs to the functions.

call_graph_to_x32_db.py

Dependencies

r2pipe
awk
grep

Example

python3 call_graph_to_x32_db.py -f 0x00425234 -o test.dd32 text.exe

unpacker.py

Dependencies

qiling

lazarus_mata_sig_fn.py

Dependencies

qiling
r2pipe

stackstrings.py

Dependencies

Ghidra

stackstrings.java

Dependencies

Ghidra

TODO

Refactoring
Remove awk and grep from the dependencies (issue with split(' ') with the output from grep -v (due to colorized outputs from radare2))
See why some breakpoints need to have an absolute address and the other a relative address (x32/64dbg investigation)