News 16/03/2022 12:19

Modules/console.py

@@ -139,7 +139,7 @@ def complete(text, state):
 
         # Exit and clear everything
         if con_command == "exit":
-            junkFiles = ["temp.txt", ".path_handler", "elves.txt", ".target-file.txt", ".target-folder.txt"]
+            junkFiles = ["temp.txt", ".path_handler", ".target-file.txt", ".target-folder.txt"]
             for junk in junkFiles:
                 if os.path.exists(junk):
                     os.remove(junk)
@@ -192,8 +192,6 @@ def complete(text, state):
                         command = f"strings --all {filename} > temp.txt"
                         os.system(command)
                         print(f"{infoS} Target OS: [bold green]Linux[white]\n")
-                        command = f"readelf -a {filename} > elves.txt"
-                        os.system(command)
                         command = f"python3 {sc0pe_path}/Modules/linAnalyzer.py {filename}"
                         os.system(command)
                         os.remove(f"{sc0pe_path}/temp.txt")

Modules/linAnalyzer.py

@@ -3,31 +3,47 @@
 import os
 import sys
 import json
+import configparser
 try:
     from rich import print
     from rich.table import Table
 except:
     print("Error: >rich< module not found.")
     sys.exit(1)
 
+try:
+    import lief
+except:
+    print("Error: >lief< module not found.")
+    sys.exit(1)
+
+try:
+    import yara
+except:
+    print("Error: >yara< module not found.")
+    sys.exit(1)
+
 # Getting name of the file for statistics
 fileName = str(sys.argv[1])
 
+# Elf parsing
+binary = lief.parse(fileName)
+
+#--------------------------------------------- Legends
+infoS = f"[bold cyan][[bold red]*[bold cyan]][white]"
+
 # Gathering Qu1cksc0pe path variable
 sc0pe_path = open(".path_handler", "r").read()
 
 # Wordlists
-allStrings = open("temp.txt", "r").read().split("\n")
-allThings = open("elves.txt", "r").read()
-sections = open(f"{sc0pe_path}/Systems/Linux/sections.txt", "r").read().split("\n")
-segments = open(f"{sc0pe_path}/Systems/Linux/segments.txt", "r").read().split("\n")
 networkz = open(f"{sc0pe_path}/Systems/Linux/Networking.txt", "r").read().split("\n")
 filez = open(f"{sc0pe_path}/Systems/Linux/Files.txt", "r").read().split("\n")
 procesz = open(f"{sc0pe_path}/Systems/Linux/Processes.txt", "r").read().split("\n")
 memoryz = open(f"{sc0pe_path}/Systems/Linux/Memory.txt", "r").read().split("\n")
 infogaz = open(f"{sc0pe_path}/Systems/Linux/Infoga.txt", "r").read().split("\n")
 persisz = open(f"{sc0pe_path}/Systems/Linux/Persistence.txt", "r").read().split("\n")
 cryptoz = open(f"{sc0pe_path}/Systems/Linux/Crypto.txt", "r").read().split("\n")
+debuggz = open(f"{sc0pe_path}/Systems/Linux/Debug.txt", "r").read().split("\n")
 otherz = open(f"{sc0pe_path}/Systems/Linux/Others.txt", "r").read().split("\n")
 
 # Categories
@@ -38,51 +54,182 @@
 Information_Gathering = []
 System_Persistence = []
 Cryptography = []
+Evasion = []
 Other = []
 
 # Report structure
 linrep = {
     "filename": "",
+    "machine_type": "",
+    "binary_entrypoint": "",
+    "number_of_sections": 0,
+    "number_of_segments": 0,
     "categories": {},
     "sections": [],
-    "segments": []
+    "segments": [],
+    "libraries": [],
+    "matched_rules": [],
+    "security": {"NX": False, "PIE": False}
 }
 
 # Scores
 scoreDict = {
-        "Networking": 0,
-        "File": 0,
-        "Process": 0,
-        "Memory Management": 0,
-        "Information Gathering": 0,
-        "System/Persistence": 0,
-        "Cryptography": 0,
-        "Other/Unknown": 0
-        }
+    "Networking": 0,
+    "File": 0,
+    "Process": 0,
+    "Memory Management": 0,
+    "Information Gathering": 0,
+    "System/Persistence": 0,
+    "Cryptography": 0,
+    "Evasion": 0,
+    "Other/Unknown": 0
+}
 
 # Dictionary of categories
 Categs = {
-        "Networking": Networking,
-        "File": File,
-        "Process": Process,
-        "Memory Management": Memory,
-        "Information Gathering": Information_Gathering,
-        "System/Persistence": System_Persistence,
-        "Cryptography": Cryptography,
-        "Other/Unknown": Other
-        }
+    "Networking": Networking,
+    "File": File,
+    "Process": Process,
+    "Memory Management": Memory,
+    "Information Gathering": Information_Gathering,
+    "System/Persistence": System_Persistence,
+    "Cryptography": Cryptography,
+    "Evasion": Evasion,
+    "Other/Unknown": Other
+}
 
 # Dictionary of arrays
 dictArr = {
-        "Networking": networkz,
-        "File": filez,
-        "Process": procesz,
-        "Memory Management": memoryz,
-        "Information Gathering": infogaz,
-        "System/Persistence": persisz,
-        "Cryptography": cryptoz,
-        "Other/Unknown": otherz
-        }
+    "Networking": networkz,
+    "File": filez,
+    "Process": procesz,
+    "Memory Management": memoryz,
+    "Information Gathering": infogaz,
+    "System/Persistence": persisz,
+    "Cryptography": cryptoz,
+    "Evasion": debuggz,
+    "Other/Unknown": otherz
+}
+
+# Get imported symbols from binary
+allStrings = []
+for ssym in binary.symbols:
+    allStrings.append(ssym.name)
+
+# Binary security checker
+def SecCheck():
+    chksec = Table(title_justify="center", title="* Security *", title_style="bold italic cyan")
+    chksec.add_column("[bold yellow]NX", justify="center")
+    chksec.add_column("[bold yellow]PIE", justify="center")
+    # Checking NX
+    if binary.has_nx is True:
+        nxstr = "[bold red]True"
+    else:
+        nxstr = "[bold green]False"
+
+    # Checking PIE
+    if binary.is_pie is True:
+        pistr = "[bold green]True"
+    else:
+        pistr = "[bold red]False"
+    chksec.add_row(nxstr, pistr)
+    print(chksec)
+    linrep["security"]["NX"] = binary.has_nx
+    linrep["security"]["PIE"] = binary.is_pie
+
+def LinuxYara(target_file):
+    yara_match_indicator = 0
+    # Parsing config file to get rule path
+    conf = configparser.ConfigParser()
+    conf.read(f"{sc0pe_path}/Systems/Linux/linux.conf")
+    rule_path = conf["Rule_PATH"]["rulepath"]
+    finalpath = f"{sc0pe_path}/{rule_path}"
+    allRules = os.listdir(finalpath)
+
+    # This array for holding and parsing easily matched rules
+    yara_matches = []
+    for rul in allRules:
+        try:
+            rules = yara.compile(f"{finalpath}{rul}")
+            tempmatch = rules.match(target_file)
+            if tempmatch != []:
+                for matched in tempmatch:
+                    if matched.strings != []:
+                        yara_matches.append(matched)
+        except:
+            continue
+
+    # Printing area
+    if yara_matches != []:
+        yara_match_indicator += 1
+        for rul in yara_matches:
+            yaraTable = Table()
+            print(f">>> Rule name: [i][bold magenta]{rul}[/i]")
+            yaraTable.add_column("Offset", style="bold green", justify="center")
+            yaraTable.add_column("Matched String/Byte", style="bold green", justify="center")
+            linrep["matched_rules"].append(str(rul))
+            for mm in rul.strings:
+                yaraTable.add_row(f"{hex(mm[0])}", f"{str(mm[2])}")
+            print(yaraTable)
+            print(" ")
+
+    if yara_match_indicator == 0:
+        print(f"[blink bold white on red]Not any rules matched for {target_file}")
+
+# General information
+def GeneralInformation():
+    print(f"{infoS} General Informations about [bold green]{fileName}")
+    print(f"[bold red]>>>>[white] Machine Type: [bold green]{binary.header.machine_type.name}")
+    print(f"[bold red]>>>>[white] Binary Entrypoint: [bold green]{hex(binary.entrypoint)}")
+    print(f"[bold red]>>>>[white] Number of Sections: [bold green]{len(binary.sections)}")
+    print(f"[bold red]>>>>[white] Number of Segments: [bold green]{len(binary.segments)}")
+    linrep["machine_type"] = binary.header.machine_type.name
+    linrep["binary_entrypoint"] = str(hex(binary.entrypoint))
+    linrep["number_of_sections"] = len(binary.sections)
+    linrep["number_of_segments"] = len(binary.segments)
+    SecCheck()
+
+# Gathering sections
+def SectionParser():
+    secTable = Table(title="* Informations About Sections *", title_justify="center", title_style="bold italic cyan")
+    secTable.add_column("[bold green]Section Names", justify="center")
+    secTable.add_column("[bold green]Size(bytes)", justify="center")
+    secTable.add_column("[bold green]Offset", justify="center")
+    secTable.add_column("[bold green]Virtual Address", justify="center")
+    secTable.add_column("[bold green]Entropy", justify="center")
+    for sec in binary.sections:
+        if sec.name != "" and sec.name != " ":
+            secTable.add_row(
+                f"[bold red]{sec.name}", 
+                str(sec.size),
+                str(hex(sec.offset)),
+                str(hex(sec.virtual_address)),
+                str(sec.entropy)
+            )
+            linrep["sections"].append(
+                {
+                    "name": sec.name,
+                    "size": sec.size,
+                    "offset": str(hex(sec.offset)),
+                    "virtual_address": str(hex(sec.virtual_address)),
+                    "entropy": str(sec.entropy)
+                }
+            )
+    print(secTable)
+
+# Gathering segments
+def SegmentParser():
+    segTable = Table(title="* Informations About Segments *", title_justify="center", title_style="bold italic cyan")
+    segTable.add_column("[bold green]Segments", justify="center")
+    segTable.add_column("[bold green]Contained Sections", justify="center")
+    for seg in binary.segments:
+        ssec = []
+        if seg.type.name != "" and seg.type.name != " ":
+            for sgs in seg.sections:
+                ssec.append(sgs.name)
+            segTable.add_row(f"[bold red]{seg.type.name}", str(ssec))
+            linrep["segments"].append(seg.type.name)
+    print(segTable)
 
 # Defining function
 def Analyzer():
@@ -96,7 +243,7 @@ def Analyzer():
                     allFuncs +=1
     for key in Categs:
         if Categs[key] != []:
-            if key == "Information Gathering" or key == "System/Persistence" or key == "Cryptography":
+            if key == "Information Gathering" or key == "System/Persistence" or key == "Cryptography" or key == "Evasion":
                 tables = Table(title="* WARNING *", title_style="blink italic yellow", title_justify="center", style="yellow")
             else:
                 tables = Table()
@@ -131,33 +278,24 @@ def Analyzer():
                         pass
             print(tables)
 
-    # Gathering sections and segments
-    secTable = Table()
-    segTable = Table()
-    secTable.add_column("[bold green]Sections")
-    segTable.add_column("[bold green]Segments")
-
-    # Sections
-    sec_indicator = 0
-    for se1 in sections:
-        if se1 in allThings:
-            if se1 != "":
-                secTable.add_row(f"[bold red]{se1}")
-                linrep["sections"].append(se1)
-                sec_indicator += 1
-    if sec_indicator != 0:
-        print(secTable)
-
+    # Perform YARA scan
+    print(f"\n{infoS} Performing YARA rule matching...")
+    LinuxYara(fileName)
+
+    # Get sections
+    SectionParser()
+
     # Segments
-    seg_indicator = 0
-    for se2 in segments:
-        if se2 in allThings:
-            if se2 != "":
-                segTable.add_row(f"[bold red]{se2}")
-                linrep["segments"].append(se2)
-                seg_indicator += 1
-    if seg_indicator != 0:
-        print(segTable)
+    SegmentParser()
+
+    # Used libraries
+    libs = Table()
+    libs.add_column("[bold green]Libraries", justify="center")
+    if len(binary.libraries) > 0:
+        for x in binary.libraries:
+            libs.add_row(f"[bold red]{x}")
+            linrep["libraries"].append(x)
+        print(libs)
 
     # Statistics zone
     print(f"\n[bold green]->[white] Statistics for: [bold green][i]{fileName}[/i]")
@@ -192,8 +330,7 @@ def Analyzer():
 
 # Execute
 try:
+    GeneralInformation()
     Analyzer()
-    if os.path.exists("Modules/elves.txt"):
-        os.remove("Modules/elves.txt")
 except:
     pass

README.md

@@ -22,10 +22,10 @@ python3 qu1cksc0pe.py --file suspicious_file --analyze
 ![Screen](.animations/Screenshot.png)
 
 # Updates
-<b>07/03/2022</b>
-- [X] Bug fixes.
-- [X] Added analysis report exporting. Now you can get your analysis reports on json files.<br>
-<b>Usage</b>: ```python3 qu1cksc0pe.py --file suspicious_file --analyze --report```
+<b>16/03/2022</b>
+- [X] ```LinuxAnalyzer``` module is significantly improved.
+- [X] Added ```Mirai Detection``` capability to ```LinuxAnalyzer``` module.<br>
+![update_gif](.animations/linan.gif)
 
 # Available On
 ![blackarch_banner](.animations/blackarch.png)
@@ -49,13 +49,13 @@ python3 qu1cksc0pe.py --file suspicious_file --analyze
 - ```yara-python``` => <i>Android library scanning with Yara rules.</i>
 - ```prompt_toolkit``` => <i>Interactive shell.</i>
 - ```frida``` => <i>Performing dynamic analysis against android applications.</i>
-- ```PyExifTool``` => <i>Metadata extraction and analysis.</i>
+- ```lief``` => <i>ELF binary parsing and analysis.</i>
 
 <br><b>Installation of python modules</b>: ```pip3 install -r requirements.txt```<br>
 <b>Gathering other dependencies</b>:
 - <i>VirusTotal API Key</i>: ```https://virustotal.com```
-- <i>Binutils</i>: ```sudo apt-get install binutils```
 - <i>Strings</i>: ```sudo apt-get install strings```
+- <i>PyExifTool</i>: ```git clone git://github.com/smarnach/pyexiftool.git``` then ```cd pyexiftool && sudo python3 setup.py install```
 
 **Alert**
 > **You must specify jadx binary path in Systems/Android/libScanner.conf**