binee
1.0.0
Binee是一个完整的二元仿真环境,侧重于所有IO操作的内省。该项目的主要目标是提供一个灵活的环境,以确定对系统的二进制副作用。
Binee试图解决的目标如下:
如果您选择使用Binee效仿Microsoft Windows的部分,那么您将完全负责从Microsoft获得任何必要的权利和许可。
请随时提交GitHub问题,或者如果您想直接与我们交谈,来加入就很懈怠
松弛的工作区
幻灯片
演示视频
推介会
如果您在Microsoft Windows上运行Binee,则可以跳过模拟文件系统步骤。
大多数恶意软件至少需要一些标准的DLL,并且需要从模拟文件系统访问这些DLL。默认的“ root”模拟文件系统位于os/win10_32/中。为了允许恶意软件加载DLL,您需要将其复制到模拟文件系统中的适当位置。通常,它们应复制到os/win10_32/windows/system32/ 。当前,仅支持从32位窗口安装中拉出的32位DLL。在该目录中拥有所需的文件后,您可以转到编译和运行步骤。
使用以下docker命令docker build -t binee .
docker run -it -v $PWD:/bineedev/go/src/github.com/carbonblack/binee binee bash
下载Golang依赖并建立Binee
root@2b0fee41629f:~/go/src/github.com/carbonblack/binee# go build
注意:mod文件的存在将指示构建实用程序在构建时收集依赖项,还允许在任何路径(无论$GOPATH )目录中克隆和开发存储库
此时,您应该能够在Docker容器中执行Binee并查看使用菜单。
root@6a6fe8c2b2a7:~/go/src/github.com/carbonblack/binee# ./binee -h
Usage of ./binee:
-A list all apisets and their mappings
-a string
get the real dll name from an apiset name
-c string
path to configuration file
-d show the dll prfix on all function calls
-e dump pe file's exports table
-i dump a pe file's imports table
-j output data as json
-l call DLLMain while loading DLLs
-r string
root path of mock file system, defaults to ./os/win10_32 (default "os/win10_32/")
-v verbose level 1
-vv
verbose level 2
如果您在Microsoft Windows上运行和/或对模拟文件系统进行了正确配置,则应该能够在tests/目录中执行所有PE文件。
root@6a6fe8c2b2a7:~/go/src/github.com/carbonblack/binee# go build && ./binee tests/ConsoleApplication1_x86.exe
[1] 0x2190c0b0: F GetSystemTimeAsFileTime(lpSystemTimeAsFileTime = 0xb7feffe0) = 0xb7feffe0
[1] 0x21905b40: P GetCurrentThreadId() = 0x0
[1] 0x219138d0: P GetCurrentProcessId() = 0x2001
[1] 0x2011ef30: P GetCurrentProcessId() = 0x2001
[1] 0x21905b50: F QueryPerformanceCounter(lpPerformanceCount = 0xb7feffd8) = 0x1
[1] 0x2190c500: F IsProcessorFeaturePresent(ProcessorFeature = 0xa) = 0x1
[1] 0x213af570: F _initterm_e(PVFV = 0x4020d8, PVFV = 0x4020e4) = 0x0
[1] 0x213af970: F _initterm(PVPV = 0x4020cc, PVPV = 0x4020d4) = 0x0
[1] 0x213be980: F __p___argv() = 0x7ffe0004
[1] 0x213b96f0: F __p___argc() = 0x7ffe0000
[1] 0x213bec50: F _get_initial_narrow_environment() = 0x7ffe0000
[1] 0x213ac0a0: P __acrt_iob_func() = 0x5dda9c68
[1] 0x213bb710: F __stdio_common_vfprintf(stream = 0x0, format = 'GENERIC_READ = 0x%llxn', p0 = 0x80000000) = 0x403380
[1] 0x213ac0a0: P __acrt_iob_func() = 0x403380
[1] 0x213bb710: F __stdio_common_vfprintf(stream = 0x0, format = 'GENERIC_WRITE = 0x%llxn', p0 = 0x40000000) = 0x403380
[1] 0x213ac0a0: P __acrt_iob_func() = 0x403380
[1] 0x213bb710: F __stdio_common_vfprintf(stream = 0x0, format = 'INVALID_HANDLE = 0x%llxn', p0 = 0xffffffff) = 0x403380
[1] 0x213ac0a0: P __acrt_iob_func() = 0x0
[1] 0x213bb710: F __stdio_common_vfprintf(stream = 0x0, format = 'CREATE_ALWAYS = 0x%xn', p0 = 0x2) = 0x403380
[1] 0x213ac0a0: P __acrt_iob_func() = 0x403380
[1] 0x213bb710: F __stdio_common_vfprintf(stream = 0x0, format = 'FILE_ATTRIBUTE_NORMAL = 0x%xn', p0 = 0x80) = 0x403380
[1] 0x213ac0a0: P __acrt_iob_func() = 0x403380
[1] 0x213bb710: F __stdio_common_vfprintf(stream = 0x0, format = 'ERROR_SUCCESS = 0x%xn', p0 = 0x0) = 0x403380
[1] 0x21913b80: F CreateFileA(lpFileName = 'malfile.exe', dwDesiredAccess = 0xc0000000, dwShareMode = 0x0, lpSecurityAttributes = 0x0, dwCreationDisposition = 0x2, dwFlagsAndAttributes = 0x80, hTemplateFile = 0x0) = 0xa00007b6
[1] 0x2196bfbe: F VerSetConditionMask() = 0xa00007b6
[1] 0x213ac0a0: P __acrt_iob_func() = 0xa00007b6
[1] 0x213bb710: F __stdio_common_vfprintf(stream = 0x0, format = 'out = 0x%xn', p0 = 0xa00007b6) = 0x403380
[1] 0x2196bfbe: F VerSetConditionMask() = 0x403380
[1] 0x213ac0a0: P __acrt_iob_func() = 0x403380
[1] 0x213bb710: F __stdio_common_vfprintf(stream = 0x0, format = 'out = 0x%xn', p0 = 0x403380) = 0x403380
[1] 0x2196bfbe: F VerSetConditionMask() = 0x403380
[1] 0x213ac0a0: P __acrt_iob_func() = 0x403380
[1] 0x213bb710: F __stdio_common_vfprintf(stream = 0x0, format = 'out = 0x%xn', p0 = 0x403380) = 0x403380
[1] 0x21bc0780: P memset(dest = 0xb7feff1c, char = 0x0, count = 0x58) = 0xb7feff1c
[1] 0x21914000: F WriteFile(hFile = 0xa00007b6, lpBuffer = 0xb7feff10, nNumberOfBytesToWrite = 0xb, lpNumberOfBytesWritten = 0xb7feff0c, lpOverlapped = 0x0) = 0xb
[1] 0x2190c500: F IsProcessorFeaturePresent(ProcessorFeature = 0x17) = 0x1
[1] 0x2190fef0: F SetUnhandledExceptionFilter(lpTopLevelExceptionFilter = 0x0) = 0x4
[1] 0x21927950: F UnhandledExceptionFilter(ExceptionInfo = 0x402100) = 0x1
[1] 0x219138c0: P GetCurrentProcess() = 0x1
[1] 0x20122cb0: P GetCurrentProcess() = 0x1
[1] 0x21910690: F TerminateProcess(hProcess = 0xffffffff, uExitCode = 0xc0000409) = 0xffffffff
1-Install MSYS64/32:https://osdn.net/projects/mingw/releases/
2更新系统软件包:
$ pacman --needed -Sy bash pacman pacman-mirrors msys2-runtime
-Restart msys然后更新其他所有内容:
$ pacman -Su
要为Windows 32位编译,请运行:
$ pacman -S python2
$ pacman -S make
$ pacman -S mingw-w64-i686-toolchain
要为Windows 64位编译,请运行:
$ pacman -S python2
$ pacman -S make
$ pacman -S mingw-w64-x86_64-toolchain
- 安装去:
pacman -S mingw-w64-x86_64-go
再次3个总体MSYS;然后克隆到Unicorn并安装它:
git clone https://github.com/unicorn-engine/unicorn
cd unicorn
./make.sh
./make.sh install
4-Clone Binee并建造cd binee
go build
