beaengine
BeaEngine 5.3.0
Beaengine是一個C庫,旨在解碼16位,32位和64位Intel架構的說明。它包括FPU,MMX,SSE,SSE2,SSE2,SSE3,SSE3,SSE4.1,SSE4.2,SSE4.2,VMX,VMX,CLMUL,AES,AES,MPX,AVX2,AVX2,AVX512(VEX和EVEX和EVEX PROPFERIXES),CET,BMI1,klmi1,klmi2,kl,kl,擴展。如果您想分析惡意代碼和更普遍混淆的代碼,那麼Beaengine將寄回一個複雜的結構,描述了精確的分析說明。
您可以在彙編器中使用C/C ++(可與Visual Studio,GCC,Mingw,Mingw,Mingw,Mingw,DigitalMars,Borlandc,Borlandc,Borlandc,Watcomc,Sunforte,Pelles C,LCC)一起使用(Masm32和Masm64和Masm64和Masm64,Nasm,Nasm,fasm,fasm,goasm,goasm),在python3中,python3 in delbphi,inbphi,inb pureb in pureb in in pureb in in pureb&in pureb。您可以在用戶模式和內核模式下使用它。
首先,您可以根據指定的語法檢索助記符和操作數:nasm,masm32和masm64,goasm32和goasm64的英特爾語法(實際上沒有AT&T語法)。接下來,您可以實現對數據流和控制流的準確分析,以生成切片或混淆模式。
它的源代碼在LGPL3許可下具有“ MakeFile Builder”和以下語言的標題:C/C ++,C#,Python3,Delphi,PureBasic,Masm32,Masm32,Masm64,NASM(X86和X64),FASM(X86和X64和X64),Goasm(X86),X86和x64和x64和x64和x64)。
Beaengine是使用Intel文檔中的OpCode表, Christian Ludloff網站www.sandpile.org和Felix Cloutier https://www.felixcloutier.com的Project X86DOC實施的
該軟件是根據LGPL許可證分發的。有關更多詳細信息,請參見複製和復製文件。
#!/usr/bin/python3
from BeaEnginePython import *
instr = Disasm(bytes.fromhex('6202054000443322'))
instr.read()
print(instr.repr())
輸出為:
vpshufb zmm24, zmm31, zmmword ptr [r11+r14+0880h]
rax寄存器: #!/usr/bin/python3
from BeaEnginePython import *
buffer = bytes.fromhex('4831c04889fbffc04989c49031ed66586a005f80c40c')
instr = Disasm(buffer)
while instr.read() > 0:
if instr.modifies("rax"):
print(f"{instr.repr():20}rax register is modified")
else:
print(instr.repr())
輸出為:
xor rax, rax rax register is modified
mov rbx, rdi
inc eax rax register is modified
mov r12, rax
nop
xor ebp, ebp
pop ax rax register is modified
push 00000000h
pop rdi
add ah, 0Ch rax register is modified
#!/usr/bin/python3
from BeaEnginePython import *
instr = Disasm(bytes.fromhex('e90000000090e901000000cc90'))
while instr.read() > 0:
print(instr.repr())
if instr.is_jump():
instr.follow()
讓我們提取完整的指令結構:
#!/usr/bin/python3
from BeaEnginePython import *
instr = Disasm(bytes.fromhex('62017d8115443322'))
instr.read()
print(instr.json())
輸出為:
{
"repr": "vunpckhpd xmm24, xmm16, xmmword ptr [r11+r14+0220h]",
"category": "AVX512_INSTRUCTION",
"mnemonic": "vunpckhpd ",
"bytes": "62 01 7d 81 15 44 33 22",
"error": 0,
"arch": 64,
"operands": {
"1": {
"repr": "xmm24",
"type": "register",
"size": 128,
"mode": "write",
"register": {
"type": "xmm",
"value": "REG24"
}
},
"2": {
"repr": "xmm16",
"type": "register",
"size": 128,
"mode": "read",
"register": {
"type": "xmm",
"value": "REG16"
}
},
"3": {
"repr": "r11+r14+0220h",
"type": "memory",
"size": 128,
"mode": "read",
"memory": {
"base": "REG11",
"index": "REG14",
"scale": 1,
"displacement": "0x22"
}
}
},
"registers": {
"modified": {
"type": 4,
"gpr": "",
"mmx": "",
"xmm": "REG24",
"ymm": "",
"zmm": "",
"special": "",
"cr": "",
"dr": "",
"mem_management": "",
"mpx": "",
"opmask": "",
"segment": "",
"fpu": "",
"tmm": ""
},
"read": {
"type": 5,
"gpr": "REG11+REG14",
"mmx": "",
"xmm": "REG16",
"ymm": "",
"zmm": "",
"special": "",
"cr": "",
"dr": "",
"mem_management": "",
"mpx": "",
"opmask": "",
"segment": "",
"fpu": "",
"tmm": ""
}
},
"rflags": {
"of": null,
"sf": null,
"zf": null,
"af": null,
"pf": null,
"cf": null,
"tf": null,
"if": null,
"df": null,
"nt": null,
"rf": null
}
}
https://github.com/beaengine/beaengine/releases
apt install cmake
git clone https://github.com/BeaEngine/beaengine.git
cmake beaengine
make
cmake -DoptBUILD_DLL=ON beaengine
make
當前的文檔說明了Beaengine的工作結構如何。
舊文檔可以在此處閱讀: http://beatrix2004.free.fr/beaengine/index1.php
每個Beaengine版本都有PDF文檔:
sudo apt install pandoc texlive-latex-extra
cd doc
pandoc --highlight-style tango -V mainfont="Arial" -V geometry:margin=1cm --output=beaengine.pdf beaengine.md
pandoc --highlight-style tango -V mainfont="Arial" -V geometry:margin=1cm --output=examples.pdf examples.md
一些基本示例可以顯示Beaengine在這里工作的工作
如果您想改善Beaengine或只是添加一些私人功能,請有一些鏈接:
