Code Monkey home page Code Monkey logo

diana's Introduction

DiANa

DiANa is a binary-level deobfuscator for Android native code, which is based on Angr and Barf project.

Description

Currently, DiANa supports the deobfuscation for all three types of obfuscation from O-LLVM: Instructions Substitution, Bogus Control Flow and Control Flow Flattening.

We are now working on making DiANa into a general-purpose deobfuscator.

Run DiANa

Dependencies

Deobfuscate your executable file

In your terminal,

python DiANa.py -i|--input <FILEPATH> -t|--type <DEOBFUS_TYPE> -a|--address <FUNC_ADDR> -o|--output <OUTPUT_PATH> -l|--loop <CHECK_LOOP>

  • <FILEPATH> is the path of the obfuscated binary file.

  • <DEOBFUS_TYPE> can be any combination of 1, 2 and 3. 1 means the Instructions Substitution deobfuscation, 2 means the Bogus Control Flow deobfuscation and 3 means the Control Flow Flattening deobfuscation. If the type flag is empty, DiANa would deobfuscate the input binary from the all three obfuscating approaches.

  • <FUNC_ADDR> is the entry point of the obfuscated function, which could be extracted from some disassembler (e.g IDA).

  • <OUTPUT_PATH> suggests the output file path.

  • <CHECK_LOOP> is the loops of the deobfuscating process. The deflaut value is 5.

For example, you can run the following command to analyze Function_A (0x1234) from the file "Users/example/example.so":

 python DiANa.py -i "Users/example/example.so" -t 123 -a 0x1234 -o "Users/example/output/" -l 3

Currently, DiANa could only recover a binary obfuscated by Control Flow Flattening to a control flow graph level.

After deobfuscation of Control Flow Flattening, a file named XXX_recovered.dot will be generated in the output directory. You can use vscode to view the generated CFG.

Other Content Included in This Repository

  • ./CFG-optimization directory: A python sript used to optimize the recovered CFG. The optimization rules could be found in the original paper.

  • ./Evaluation/ directory: The deobfuscation result of the evaluation part.

  • ./requirments.txt file: The required components that the DiANa project relies on. You should install these components before running DiANa on your computer.

pip install -r requriements.txt

Acknowledgement

The implementation of symbol execution in DiANa (CFF part) inspried by the deflat script of the GitHub user liumengdeqq on x86 platform.

diana's People

Contributors

deep-learning-malware avatar diana-deobfuscation-2020 avatar

Watchers

James Cloos avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.