Code Monkey home page Code Monkey logo

bt_tool's Introduction

BT_tool

在恶意样本分析中,基于二进制来识别Go函数

基于gopclntab段来恢复函数符号虽然方便,但是如果这个段没有了,岂不是不能恢复了,而且这种方法受版本限制。基于二进制来识别Go函数是就防止黑客把gopclntab段的数据修改或者删除就不能够进行恢复函数名。缺点是能够识别出来函数的多少取决于yara规则的多少

使用方法

识别函数

ida中运行BT_tools.py,进行函数识别

 ____ _____           ____  _     _   _                   _     _     
| __ )_   _|         |  _ \(_)___| |_(_)_ __   __ _ _   _(_)___| |__  
|  _ \ | |    _____  | | | | / __| __| | '_ \ / _` | | | | / __| '_ \ 
| |_) || |   |_____| | |_| | \__ \ |_| | | | | (_| | |_| | \__ \ | | |
|____/ |_|           |____/|_|___/\__|_|_| |_|\__, |\__,_|_|___/_| |_|
                                              |___/                   
author:     萝卜
time:       2021.08.04  
contact:    [email protected] 

识别结果如下所示:


地址为 004d43c0 的函数识别到已有规则  系统架构:Linux	Go版本:GO-1.16	函数名:fmt_Fprintln
地址为 00643180 的函数识别到已有规则  系统架构:Linux	Go版本:GO-1.16	函数名:os_exec___Cmd__Output
地址为 005fc5c0 的函数识别到已有规则  系统架构:Linux	Go版本:GO-1.16	函数名:net_http___Client__Post
地址为 005fab80 的函数识别到已有规则  系统架构:Linux	Go版本:GO-1.16	函数名:net_http___Client__Get

添加函数Yara规则

修改BT_add_yara.py中配置项:

    funcname = "os_exec_Command"
    funcaddr = 0x00645E40
    go_arch = "Linux"
    go_version = "GO-1.14"

ida中运行即可

列出支持识别的Yara规则

终端运行python BT_show_all_yara.py,如下所示:

~/go/RT
❯ python show_all_yara.py

 ____ _____           ____  _                    __   __
| __ )_   _|         / ___|| |__   _____      __ \ \ / /_ _ _ __ __ _
|  _ \ | |    _____  \___ \| '_ \ / _ \ \ /\ / /  \ V / _` | '__/ _` |
| |_) || |   |_____|  ___) | | | | (_) \ V  V /    | | (_| | | | (_| |
|____/ |_|           |____/|_| |_|\___/ \_/\_/     |_|\__,_|_|  \__,_|


author:     萝卜
time:       2021.08.04
contact:    [email protected]


Go版本:GO-1.14, 系统架构:Linux, 函数名:net_http___Client__Post
Go版本:GO-1.14, 系统架构:Linux, 函数名:os_exec_Command
Go版本:GO-1.16, 系统架构:Linux, 函数名:os_exec___Cmd__Output
Go版本:GO-1.16, 系统架构:Linux, 函数名:fmt_Fprintln
Go版本:GO-1.16, 系统架构:Linux, 函数名:net_http___Client__Get
Go版本:GO-1.16, 系统架构:Linux, 函数名:net_http___Client__Post
Go版本:GO-1.14, 系统架构:Linux, 函数名:net_http___Client__Get

bt_tool's People

Contributors

wxm-radish avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.