Skip to content

MirciuPirciu/CFG_Malware_Script_Thingy

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

45 Commits
artifacts
artifacts
 
 
binaries
binaries
 
 
samples
samples
 
 
.gitignore
.gitignore
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
main.py
main.py
 
 
requirements.txt
requirements.txt
 
 

Repository files navigation

Description

This is a script for automatic instruction sequence extraction from CFGs generated by Ghidra.

How to run

Create the venv python3 -m venv .venv, then activate it. As we use pyghidra, it is needed to set an environment variable accordingly. Respectively, 'GHIDRA_INSTALL_DIR' which takes the path to your Ghidra Installation folder.

# On Windows
> ./.venv/bin/activate.bat
# On Linux
$ source ./.venv/bin/activate

Finally, install the requirements and run the script:

pip install -r requirements.txt
python3 calls.py

Dependencys

The following packages need to be installed:

- mingw
    sudo apt install mingw-w64

- wine (optional, only if you want to also run the pe on linux)
    sudo apt install wine

Directory hierarchy

The directory looks like this

.
├── calls.py
├── graphs
│	├── a86bc.gf
│	├── da4a0.dot.gf
│	└── dacb9.dot.gf
├── README
└── symbols
    ├── a86bc_data.csv
    ├── a86bc_symbols.csv
    ├── da4a0_data.csv
    ├── da4a0_symbols.csv
    ├── dacb9_data.csv
    └── dacb9_symbols.csv

Where in Graph we have the DOT Graph files, and in Symbols we have the data and symbols table. All exported manually from Ghidra.

FAQs

  • How to convert a dot file to png?
    dot <graph.dot> -Tpng > <graph.png>

print symbol table using api

st = currentProgram.symbolTable.getAllSymbols(1)
for i in st:
    print('\n-----\nsymbol:' + str(i) + '\naddress:' + str(i.getAddress()))

How to manually generate the input files

*.gf files

<focused in Listing panel/ Window -> Listing>
CRTL + A
Graph -> Graph Output -> Graph Export(check)
Graph -> Code Flow -> <Format: DOT> OK

*_data.csv"

Header column we work with (example):

<focused in Defined Data panel/ Window -> Defined Data>
CRTL + A
<Right click> -> Export -> Export to CSV...
OK

*_symbols.csv

Window -> Symbol Table/ CTRL + T
<Right click on table header> -> Add/Remove Columns... -> <tick "Function Name" checkbox>
CRTL + A
<Right click> -> Export -> Export to CSV...
OK

generate in memory tree [WIP]

pm = currentProgram.treeManager.getRootModule(currentProgram.treeManager.DEFAULT_TREE_NAME)

Relevant snippets of code

currentProgram.symbolTable.externalSymbols

currentProgram.symbolTable.getAllSymbols(0) docs

TO Dos

  • document how "_data.csv" "_symbols.csv" and "*.gf" are generated(done by How to manually generate the input files
  • find a way to programmatically generate "*.gf" files related issue
  • find a way to programmatically generate "_data.csv" "_symbols.csv" files(done by print symbol table using api section)
  • rewrite that section of the code that generate the sequences and encapsulate in a function, document what information that functions uses from the dot files(we may gather that data from api) (half done)
  • need review for bug documented on bug_in_read_csv_samples branch or at least I need the executable samples for the provided symbols/graphs
  • improve the encoding: it should include the registers used by mnemonics, we should use dictionaries of mnemonics, systemcalls, registers

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages