About
Articles
Book Store
Distributed RCE
Downloads
Event Calendar
Forums
Live Discussion
Reference Library
RSS Feeds
Search
Users
What's New
Customize Theme
bluegrey
blackgreen
metal
simple
Flag:
Tornado!
Hurricane!
Login:
Password:
Remember Me
Register
Blogs
>>
apridgen
's Blog
Created: Tuesday, April 17 2007 01:40.33 CDT
Modified: Tuesday, April 17 2007 11:19.35 CDT
Printer Friendly ...
its a very happy pre-alpha to me, to you
Author:
apridgen
# Views:
3378
Sniper is not really my idea, and Pedram actually threw over the fence to me.
I am not working with a partner, so I wanted to put a pre-alpha version of my code for Sniper, which hopefully in the next couple of weeks (or not) I can integrate into Pai-Mei. The idea is to give reverses a a signature frame work for reversing any type of code whether it is malware or a standard software.
Sniper is aiming (heh) to allow for a rule based quick analysis of code previously analyzed by IDA or whatever. The utility gain from something like this would be picking out known known functions like an inline strcpy function, and then commenting on the code.
This software is really in a proto-type phase, and will be used to build a bit of a cleaner version if possible, if I have time and my future employer allows for it. I am also not sure if anyone else is developing or integrating any functionality like this into Pai-Mei with a similar intent.
Also the README:
This is a pre-alpha installment meaning the code is unstable and the API is
changing with the direction of the wind.
In the initial release, I was trying to accomplish several items, so that
I further development of the analysis for RE signature, Malware signatures
could be supported, and they are listed below.
Functional Requirements
1) Given any any pida object move up the pida graph hierarchy to a desired
resolution (e.g. instruction -> function)
2) Drill down on any object given some known attributes like
constants, disassembly, function names (still needs work)
3) Put 1 and 2 together into a single operation
4) Support matching on basic attributes for a given object and this
matching support will match against lists tuples sets, ordered lists tuples sets,
sub lists, and wild card / single values in the list.
I also have some code that will look at instructions and try to decompose it to
just look at a particular memory access, but this is way ahead of where I need
to be.
5) Put 1- 4 together
Right now, I am in the middle requirements 4 and requirement 1 is mostly
complete. Before I can really begin to test requirement 2, I need to focus on
the 4th requirement. I think the finale for this project will be the completion
of requirement 3 as opposed to 5 because of the functional dependencies.
Se la viv.
What I have thus far are the basics of 1 and untested code for objective 2.
The supporting code for 2 and 4 is being written in the form of an attribute
class, and it will actually support it's own comparison functions if necessary.
There is no real documentation as of yet. I am not sure how the commenting and
documentation system works in python so until this code gets closer to an official
release (if ever), the source code will have to suffice.
special thanks to:
Pedram Amini
[email protected]
nummish
[email protected]
For those interested, the code is located here:
http://www.queenofbattle.net/wp-content/uploads/PMSniper_prealpha01.zip
be1184da9426b1f27b491ee7f2437e6dd3eab0b8fb4f913705a7da2c37ebce1b PMSniper_prealpha01.zip
e964046f2b032ae0b406f1dbcfaddee4 PMSniper_prealpha01.zip
edit: changed code location
Add New Comment
Comment:
There are
31,314
total registered users.
Recently Created Topics
[help] Unpacking VMP...
Mar/12
Reverse Engineering ...
Jul/06
hi!
Jul/01
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06
Recent Forum Posts
Finding the procedur...
rolEYder
Question about debbu...
rolEYder
Identify RVA data in...
sohlow
let 'IDAPython' impo...
sohlow
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n
Recent Blog Entries
halsten
Mar/14
Breaking IonCUBE VM
oleavr
Oct/24
Anatomy of a code tracer
hasherezade
Sep/24
IAT Patcher - new tool for ...
oleavr
Aug/27
CryptoShark: code tracer ba...
oleavr
Jun/25
Build a debugger in 5 minutes
More ...
Recent Blog Comments
nieo
on:
Mar/22
IAT Patcher - new tool for ...
djnemo
on:
Nov/17
Kernel debugger vs user mod...
acel
on:
Nov/14
Kernel debugger vs user mod...
pedram
on:
Dec/21
frida.github.io: scriptable...
capadleman
on:
Jun/19
Using NtCreateThreadEx for ...
More ...
Imagery
SoySauce Blueprint
Jun 6, 2008
[+] expand
View Gallery
(11) /
Submit
Printer Friendly ...
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}