Light

eset / stadeo Goto Github PK

View Code? Open in Web Editor NEW

142.0 6.0 15.0 1.96 MB

Control-flow-flattening and string deobfuscator

License: Other

Python 100.00%

reverse-engineering deobfuscation malware control-flow miasm python strings ida-pro ida idapython

stadeo's Introduction

Stadeo

Stadeo is a set of tools primarily developed to facilitate analysis of Stantinko, which is a botnet performing click fraud, ad injection, social network fraud, password stealing attacks and cryptomining.

The scripts, written entirely in Python, deal with Stantinko's unique control-flow-flattening (CFF) and string obfuscation techniques described in our March 2020 blogpost. Additionally, they can be utilized for other purposes: for example, we’ve already extended our approach to support deobfuscating the CFF featured in Emotet – a trojan that steals banking credentials and that downloads additional payloads such as ransomware.

Our deobfuscation methods use IDA, which is a standard tool in the industry, and Miasm – an open source framework providing us with various data-flow analyses, a symbolic execution engine, a dynamic symbolic execution engine and the means to reassemble modified functions.

stadeo's People

Contributors

Stargazers

Watchers

Forkers

fiappy lallouslab aplus123 ben12385 chiamaster nofiv ilbaroni darksidesfear clayne qynklee simrit1 easy-forks coderiderlin mushfiqur47

stadeo's Issues

The latest version of Miasm is not supported

The latest tested version of Miasm is this one. There have been a number of changes introduced into the framework in the meantime which need to be incorporated into stadeo such as cea-sec/miasm@80e40a3.

sample requests

I want to try stadeo by following your usage examples. Can you provide the sample from the usage_examples.pdf?
SHA-1 of the sample: 791ad58d9bb66ea08465aad4ea968656c81d0b8e

New instructions on AsmBlocks

loc_key_12
CMP        RCX, 0x0
JZ         loc_25e10
->      c_next:loc_key_13       c_to:loc_25e10
Traceback (most recent call last):
  File "x/stadeo/stadeo/cff/cff_strategies.py", line 63, in solve_loop
    recognizer.recognize(only_one, context)
  File "x/stadeo/stadeo/cff/cff_recognizer.py", line 416, in recognize
    irb_bak = self._recog_init(merging_var_candidates)
  File "x/stadeo/stadeo/cff/cff_recognizer.py", line 317, in _recog_init
    self.ircfg = self.ir_arch.new_ircfg_from_asmcfg(self.asmcfg)
  File "y/lib/python3.8/site-packages/miasm/ir/ir.py", line 745, in new_ircfg_from_asmcfg
    self.add_asmblock_to_ircfg(block, ircfg)
  File "y/lib/python3.8/site-packages/miasm/ir/ir.py", line 832, in add_asmblock_to_ircfg
    split = self.add_instr_to_current_state(
  File "y/lib/python3.8/site-packages/miasm/ir/analysis.py", line 82, in add_instr_to_current_state
    assignblk, ir_blocks_extra = self.instr2ir(instr)
  File "y/lib/python3.8/site-packages/miasm/ir/ir.py", line 749, in instr2ir
    ir_bloc_cur, extra_irblocks = self.get_ir(instr)
  File "y/lib/python3.8/site-packages/miasm/arch/x86/sem.py", line 5812, in get_ir
    self.mod_pc(instr, instr_ir, extra_ir)
  File "y/lib/python3.8/site-packages/miasm/arch/x86/sem.py", line 5934, in mod_pc
    pc_fixed = {self.pc: m2_expr.ExprInt(instr.offset + instr.l, 64)}
TypeError: unsupported operand type(s) for +: 'NoneType' and 'NoneType'

I have a control flow obfuscated elf library file. After upgrading stadeo to latest miasm, I get this error which means newly created instructions after processing jump table doesn't have offset & l parameters. So script cannot convert it to IRCFG. Is this because of new internals of miasm ?

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.