Skip to main content

A framework for decoding encoded strings and files in malware via IDA Pro IDAPython scripting.

Project description

DC3-Kordesii

Changelog | Releases

DC3-Kordesii is a framework for decoding encoded strings and files in malware via IDA Pro IDAPython scripting. One parser module is usually created per malware family. It is designed to ease the burden of encoded string extraction by doing it in an automated, static way as well as to provide a standard set of functionality and methodologies. It supports both an analyst directed analysis and large-scale automated executing, utilizing either the REST API, the CLI or by manually running decoders in IDA.

DC3-Kordesii is authored by the Department of Defense Cyber Crime Center (DC3).

Guides

Dependencies

DC3-Kordesii requires the following:

  • Python 3.7+ (64 bit)
  • IDA Pro 7.* (tested and developed with 7.4)
  • (optional) Hex Ray's Decompiler for x86/x64 architectures
    • (Used to improve accuracy of getting function arguments in function_tracing)

Install

> pip install kordesii

Alternatively you can clone this repo and install locally.

> git clone https://github.com/Defense-Cyber-Crime-Center/kordesii.git
> pip install ./kordesii

For a development mode use the -e flag to install in editable mode:

> git clone https://github.com/Defense-Cyber-Crime-Center/kordesii.git
> pip install -e ./kordesii

Setup IDA location

By default kordesii assumes you are on Windows and have installed IDA under the default location C:/Program Files/IDA Pro *. If you have installed IDA at a different location or running on another operating system, please set the IDA_DIR environment to point to where IDA has been installed.

Usage

DC3-Kordesii is designed to standardize automation of a task typically done by one-off scripts. Most automated processing systems will use a condition, such as a YARA signature match, to trigger execution of a particular DC3-Kordesii decoder.

There are 2 options for integration of DC3-Kordesii:

  • CLI: kordesii
  • REST API: kordesii serve

CLI tool

The kordesii tool provides functionality to run and test decoders on files:

> kordesii parse Sample ./kordesii/decoders/tests/strings.exe
[+] (kordesii): Parsing: ./kordesii/decoders/tests/strings.exe
[+] (kordesii.core): IDA return code = 0
----Decoded Strings----

Hello World!
Test string with key 0x02
The quick brown fox jumps over the lazy dog.
Oak is strong and also gives shade.
Acid burns holes in wool cloth.
Cats and dogs each hate the other.
Open the crate but don't break the glass.
There the flood mark is ten inches.
1234567890
CreateProcessA
StrCat
ASP.NET
kdjsfjf0j24r0j240r2j09j222
32897412389471982470
The past will look brighter tomorrow.
Cars and busses stalled in sand drifts.
The jacket hung on the back of the wide chair.
32908741328907498134712304814879837483274809123748913251236598123056231895712

----Debug----

[+] IDA return code = 0

> kordesii test Sample
Running test cases. May take a while...
 1/1 - kordesii:Sample strings.exe 8.9183s

Test stats:

Top 10 Slowest Test Cases:
 1. kordesii:Sample strings.exe 8.9183s

Top 10 Fastest Test Cases:
 1. kordesii:Sample strings.exe 8.9183s

Mean Running Time: 8.9183s
Median Running Time: 8.9183s
Cumulative Running Time: 0:00:08.918259

Total Running Time: 0:00:09.480942
All Passed = True

see kordesii -h for full set of options

REST API

The REST API provides two commonly used functions:

  • /run_decoder/<decoder> -- executes a decoder on uploaded file
  • /descriptions -- provides list of available parsers

To use, first start the server by running:

> kordesii serve

The following curl commands demonstrate how to use this web service:

> curl --form data=@README.md http://localhost:8080/run_decoder/foo
> curl http://localhost:8080/descriptions

A simple HTML interface is also available at the same address. Individual samples can be submitted and results saved as JSON, plain text, or ZIP archives.

Logging

DC3-Kordesii uses Python's builtin in logging module to log all messages. By default, logging is configured using the log_config.yml configuration file. Which is currently set to log all messages to the console and error messages to %LOCALAPPDATA%/kordesii/errors.log. You can provide your own custom log configuration file by adding the path to the environment variable KORDESII_LOG_CFG. (Please see Python's documentation for more information on how to write your own configuration file.)

You may also use the --verbose or --debug flags to adjust the logging level when using the kordesii tool.

CPU Emulation

DC3-Kordesii includes an experimental tracing utility called function_tracing that can be used to statically emulate and trace instructions within a function.

Please see the CPU Emulation documentation for more information.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

kordesii-2.6.0.tar.gz (252.2 kB view details)

Uploaded Source

Built Distribution

kordesii-2.6.0-py3-none-any.whl (264.2 kB view details)

Uploaded Python 3

File details

Details for the file kordesii-2.6.0.tar.gz.

File metadata

  • Download URL: kordesii-2.6.0.tar.gz
  • Upload date:
  • Size: 252.2 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/4.0.2 CPython/3.8.18

File hashes

Hashes for kordesii-2.6.0.tar.gz
Algorithm Hash digest
SHA256 7e31659d32cd0559babe631c54c470575be49e44d0e4c352392f560970dd825f
MD5 fade18ff0dc44f4b4c3c86d11455ab35
BLAKE2b-256 f15461792905e370393934b7003c140de5b038cbcc12a84861560050200031b4

See more details on using hashes here.

File details

Details for the file kordesii-2.6.0-py3-none-any.whl.

File metadata

  • Download URL: kordesii-2.6.0-py3-none-any.whl
  • Upload date:
  • Size: 264.2 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/4.0.2 CPython/3.8.18

File hashes

Hashes for kordesii-2.6.0-py3-none-any.whl
Algorithm Hash digest
SHA256 0860c0d8eb31e795f4ff9d1fb24a382489b3dfe7cb618fa62d520fba2877de8f
MD5 bd308a457fb99b02690cac194239472a
BLAKE2b-256 34cba27d3b9eb28acec2633b61cf4f12a12b04091f0e65ae0246b94a1b9cb510

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page