r2-malwareAnalysis/binaryAnalysis.py at master · RazviAlex/r2-malwareAnalysis · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
import sys
import r2pipe

contDll = 0
dllSleep = "KERNEL32.dll_Sleep"
dllProcess32 = "KERNEL32.dll_Process32NextW"
dllFindWindow = "USER32.dll_FindWindowW"

r2 = r2pipe.open("FirstStageS2.2.exe", ['-w'])
importDll = r2.cmdj("iij")
r2.cmd("aaa")

#Search dll
def searchDll(dllName):
    global contDll
    while (contDll < len(importDll)) and (importDll[contDll]["name"] != dllName):
        contDll = contDll +1

#Go to the DLL call
def callDll(contDll):
    instr_Dll = "sym.imp."+importDll[contDll]["name"]
    ref_Instr = r2.cmdj("axtj @ "+instr_Dll)
    hexValue = ref_Instr[0]["from"]
    opCode = r2.cmdj("?j "+str(hexValue))
    print('\n'"Pos call Dll: "+opCode["hex"])
    r2.cmd("s "+ str(opCode["hex"]))
    #Call Dll instruction:
    infoCallRef = r2.cmdj("pdj 1")
    opcodeCall = infoCallRef[0]["opcode"]
    print("Opcode instruction: "+opcodeCall)


#######################
#Sleep DLL Analysis#
#######################
print('\n'"---DLL Analysis: Sleep---")

searchDll(dllSleep)
#Go to the DLL call
if contDll < len(importDll):
    instr_Dll = "sym.imp."+importDll[contDll]["name"]
    ref_Instr = r2.cmdj("axtj @ "+instr_Dll)
    hexValue = ref_Instr[1]["from"]
    opCode = r2.cmdj("?j "+str(hexValue))
    print()
    print("Pos call Dll: "+opCode["hex"])
    r2.cmd("s "+ str(opCode["hex"]))
    ##Call Dll Sleep instruction:
    infoCallRefSleep = r2.cmdj("pdj 1")
    opcode = infoCallRefSleep[0]["opcode"]
    print("Opcode instruction: "+opcode)
    #In the case that it's a mov first, check the reg to find the call
    if str(opcode).find("mov") >= 0:
        reg = ["eax", "ebc", "edi", "esi"]
        j=0
        while str(opcode).find(reg[j]) == -1:
            j = j +1

        #Knowing the reg, search for a call to that reg
        callSleep = r2.cmdj("pdj ~call "+reg[j])
        i=0
        call = "call "+reg[j]
        while callSleep[i]["opcode"] != call:
            i = i +1
        offsetCallSleep = callSleep[i]["offset"]
        hexValueSleep = r2.cmdj("?j "+str(offsetCallSleep))
        print("Call Sleep mem: "+hexValueSleep["hex"])
        r2.cmd("s "+ str(hexValueSleep["hex"]))

    #Search push instruction
    instPush = r2.cmdj("pdj -1")
    opcodePush = instPush[0]["opcode"]
    bytesPush = instPush[0]["bytes"]
    offsetPush = instPush[0]["offset"]
    hexPush = r2.cmdj("?j "+str(offsetPush))

    #Change push instruction
    if opcodePush.find("push") >= 0:
        if bytesPush.find("68", 0, 2) >=0:
            r2.cmd("wx 6800000000 @ "+hexPush["hex"])
        else:
            r2.cmd("wx 6a00 @ "+hexPush["hex"])
else:
    print('\n'"Not found the function: "+ dllSleep)


########################
#Process32 DLL Analysis#
########################
print('\n'"---DLL Analysis: Process32---")

contDll = 0
searchDll(dllProcess32)
if contDll < len(importDll):
    callDll(contDll)
    #Search test instruction
    testInstr = r2.cmdj("pdj ~test")
    i=0
    while str(testInstr[i]["opcode"]).find("test")==-1:
        i = i +1
    offsetTest = testInstr[i]["offset"]
    hexValueTest = r2.cmdj("?j "+str(offsetTest))
    print("Call Test mem: "+hexValueTest["hex"])

    #Search jmp instruction
    r2.cmd("s "+ str(hexValueTest["hex"]))
    infoCallJmp = r2.cmdj("pdj 2")
    opcodeJmp = infoCallJmp[1]["opcode"]

    #Change test instruction
    opcodeTest = testInstr[i]["opcode"]
    bytesTest = testInstr[i]["bytes"]
    if (str(opcodeJmp).find("jz")!=-1) or (str(opcodeJmp).find("je")!=-1):
        r2.cmd("wx a8 00 @ "+hexValueTest["hex"])
    elif (str(opcodeJmp).find("jnz")!=-1) or (str(opcodeJmp).find("jne")!=-1):
        r2.cmd("wx a8 01 @ "+hexValueTest["hex"])
else:
    print('\n'"Not found the function: "+ dllProcess32)


########################
# FindWindowW Analysis #
########################
print()
print("---FindWindowW Analysis---")

contDll = 0
searchDll(dllFindWindow)
if contDll < len(importDll):
    callDll(contDll)
    #Search jmp instruction
    JInstr =r2.cmdj("pdj ~j")
    i=0
    while (str(JInstr[i]["opcode"]).find("je")==-1) and (str(JInstr[i]["opcode"]).find("jne")==-1) and (str(JInstr[i]["opcode"]).find("jz")==-1) and (str(JInstr[i]["opcode"]).find("jnz")==-1):
        i = i +1
    offsetJmp = JInstr[i]["offset"]
    hexValueJmp = r2.cmdj("?j "+str(offsetJmp))
    print("Call Jmp mem: "+hexValueJmp["hex"])

    #Modificar jmp instruction
    opcodeJmp = JInstr[i]["opcode"]
    if (str(opcodeJmp).find("jz")!=-1) or (str(opcodeJmp).find("je")!=-1):
        r2.cmd("wx 75 @ "+hexValueJmp["hex"])
    elif (str(opcodeJmp).find("jnz")!=-1) or (str(opcodeJmp).find("jne")!=-1):
        r2.cmd("wx 74 @ "+hexValueJmp["hex"])
else:
    print('\n'"Not found the function: "+ dllFindWindow)