its a very happy pre-alpha to me, to you
Adam Pridgen (apridgen) <adam pridgen gmailcom> |
Tuesday, April 17 2007 01:40.33 CDT |
Sniper is not really my idea, and Pedram actually threw over the fence to me.
I am not working with a partner, so I wanted to put a pre-alpha version of my code for Sniper, which hopefully in the next couple of weeks (or not) I can integrate into Pai-Mei. The idea is to give reverses a a signature frame work for reversing any type of code whether it is malware or a standard software.
Sniper is aiming (heh) to allow for a rule based quick analysis of code previously analyzed by IDA or whatever. The utility gain from something like this would be picking out known known functions like an inline strcpy function, and then commenting on the code.
This software is really in a proto-type phase, and will be used to build a bit of a cleaner version if possible, if I have time and my future employer allows for it. I am also not sure if anyone else is developing or integrating any functionality like this into Pai-Mei with a similar intent.
Also the README:
This is a pre-alpha installment meaning the code is unstable and the API is
changing with the direction of the wind.
In the initial release, I was trying to accomplish several items, so that
I further development of the analysis for RE signature, Malware signatures
could be supported, and they are listed below.
Functional Requirements
1) Given any any pida object move up the pida graph hierarchy to a desired
resolution (e.g. instruction -> function)
2) Drill down on any object given some known attributes like
constants, disassembly, function names (still needs work)
3) Put 1 and 2 together into a single operation
4) Support matching on basic attributes for a given object and this
matching support will match against lists tuples sets, ordered lists tuples sets,
sub lists, and wild card / single values in the list.
I also have some code that will look at instructions and try to decompose it to
just look at a particular memory access, but this is way ahead of where I need
to be.
5) Put 1- 4 together
Right now, I am in the middle requirements 4 and requirement 1 is mostly
complete. Before I can really begin to test requirement 2, I need to focus on
the 4th requirement. I think the finale for this project will be the completion
of requirement 3 as opposed to 5 because of the functional dependencies.
Se la viv.
What I have thus far are the basics of 1 and untested code for objective 2.
The supporting code for 2 and 4 is being written in the form of an attribute
class, and it will actually support it's own comparison functions if necessary.
There is no real documentation as of yet. I am not sure how the commenting and
documentation system works in python so until this code gets closer to an official
release (if ever), the source code will have to suffice.
special thanks to:
Pedram Amini [email protected]
nummish [email protected]
For those interested, the code is located here:
http://www.queenofbattle.net/wp-content/uploads/PMSniper_prealpha01.zip
be1184da9426b1f27b491ee7f2437e6dd3eab0b8fb4f913705a7da2c37ebce1b PMSniper_prealpha01.zip
e964046f2b032ae0b406f1dbcfaddee4 PMSniper_prealpha01.zip
edit: changed code location
Comments
| Posted: Wednesday, December 31 1969 18:00.00 CST | |