Locked PyREBox

[0x1]

Python scriptable Reverse Engineering Sandbox

This is the hidden content, please

• Sign In
• or
• Sign Up

PyREBox is a Python scriptable Reverse Engineering sandbox. It is based on QEMU, and its goal is to aid reverse engineering by providing dynamic analysis and debugging capabilities from a different perspective. PyREBox allows to inspect a running QEMU VM, modify its memory or registers, and to instrument its execution, by creating simple scripts in python to automate any kind of analysis. QEMU (when working as a whole-system-emulator) emulates a complete system (CPU, memory, devices...). By using VMI techniques, it does not require to perform any modification into the guest operating system, as it transparently retrieves information from its memory at run-time.

Several academic projects such as  DECAF , PANDA, S2E, or AVATAR, have previously leveraged QEMU based instrumentation to overcome reverse engineering tasks. These projects allow to write plugins in C/C++, and implement several advanced features such as dynamic taint analysis, symbolic execution, or even record and replay of execution traces. With PyREBox, we aim to apply this technology focusing on keeping the design simple, and on the usability of the system for threat analysts.

Video Presentation

Spoiler

 

What's new

Remember to pull the latest version of PyREBox in order to enjoy its latest features. PyREBox is under active development and new cool features are yet to come! The master branch should always contain an stable version, while the dev branches contain the latest, work-in progress features. The following announcement list refers to the master branch, and the date when the development changes were merged into master.

• [Jun 21, 2019] Upgraded QEMU to version 4.0.0, with MTTCG (multi-threaded TCG) support. Special thanks to @richsurgenor for his valuable contributions to this upgrade.
• [Jun 17, 2019] Merge of dev branch (Malware monitor 2).
• [Jun 17, 2019] Mouse movement automation.
• [Jun 17, 2019] Upgraded volatility.
• [Oct 17, 2018] Added API function to get system time from windows guests.
• [Oct 17, 2018] Added support for symbols in BP (breakpoint) class.
• [Oct 17, 2018] Added symbol cache (host file). See example configuration files (pyrebox.conf.WinXPSP3x86).
• [Oct 17, 2018] Changed symbol fetching to obtain DLL files from disk.
• [Oct 10, 2018] Added experimental support to fetch non-mapped memory pages.
• [0ct 10, 2018] Added The Sleuth Kit integration
• [Aug 02, 2018] Added autorun scripts.
• [Jul 26, 2018] Uploaded slides of EuskalHack 2018 presentation.
• [Jul 02, 2018] Fixes to provide CentOS 7 support.
• [Jun 25, 2018] Added scripts presented at EuskalHack 2018.
• [May 31, 2018] Upgraded to Qemu v2.12.0.
• [May 29, 2018] Added the possibility to call trigger functions (in C/C++) from python scripts.
• [May 29, 2018] Changed the callback parameter format. See documentation. Default is still the old-style.
• [Apr 28, 2018] Created a development branch for new and potentially unstable features in PyREBox.
• [Apr 13, 2018] Presented PyREBox at HITB Amsterdam (CommSec track).
• [Apr 13, 2018] Added malware monitoring scripts (mw_mon).
• [Mar 08, 2018] Triggers are now called for every process in the system (not only monitored processes). See documentation
• [Mar 08, 2018] Changed memory read/write callback parameters. See documentation and examples.
• [Mar 08, 2018] Added physical memory address read/write breakpoints.
• [Mar 08, 2018] Added module load and remove callbacks.
• [Nov 02, 2017] Added guest agent for linux 32 and 64 bits.
• [Oct 23, 2017] Added guest agent for Windows 32 and 64 bits.
• [Oct 11, 2017] Added linux module symbol parsing.
• [Sep 22, 2017] Added support for module reloading.
• [Sep 20, 2017] Added custom function callback to BP class.
• [Sep 20, 2017] Upgraded to Qemu v2.10.0.
• [Aug 31, 2017] Partial support for linux guests.

More info & Download

This is the hidden content, please

• Sign In
• or
• Sign Up