A framework for decoding encoded strings and files in malware via IDA Pro IDAPython scripting.
Project description
DC3-Kordesii
DC3-Kordesii is a framework for decoding encoded strings and files in malware via IDA Pro IDAPython scripting. One parser module is usually created per malware family. It is designed to ease the burden of encoded string extraction by doing it in an automated, static way as well as to provide a standard set of functionality and methodologies. It supports both an analyst directed analysis and large-scale automated executing, utilizing either the REST API, the CLI or by manually running decoders in IDA.
DC3-Kordesii is authored by the Department of Defense Cyber Crime Center (DC3).
Guides
Dependencies
DC3-Kordesii requires the following:
- Python 3.7+ (64 bit)
- IDA Pro 7.* (tested and developed with 7.4)
- (optional) Hex Ray's Decompiler for x86/x64 architectures
- (Used to improve accuracy of getting function arguments in
function_tracing
)
- (Used to improve accuracy of getting function arguments in
Install
> pip install kordesii
Alternatively you can clone this repo and install locally.
> git clone https://github.com/Defense-Cyber-Crime-Center/kordesii.git
> pip install ./kordesii
For a development mode use the -e
flag to install in editable mode:
> git clone https://github.com/Defense-Cyber-Crime-Center/kordesii.git
> pip install -e ./kordesii
Setup IDA location
By default kordesii assumes you are on Windows and have installed IDA under the default location C:/Program Files/IDA Pro *
.
If you have installed IDA at a different location or running on another operating system, please set the IDA_DIR
environment
to point to where IDA has been installed.
Usage
DC3-Kordesii is designed to standardize automation of a task typically done by one-off scripts. Most automated processing systems will use a condition, such as a YARA signature match, to trigger execution of a particular DC3-Kordesii decoder.
There are 2 options for integration of DC3-Kordesii:
- CLI:
kordesii
- REST API:
kordesii serve
CLI tool
The kordesii
tool provides functionality to run and test decoders on files:
> kordesii parse Sample ./kordesii/decoders/tests/strings.exe
[+] (kordesii): Parsing: ./kordesii/decoders/tests/strings.exe
[+] (kordesii.core): IDA return code = 0
----Decoded Strings----
Hello World!
Test string with key 0x02
The quick brown fox jumps over the lazy dog.
Oak is strong and also gives shade.
Acid burns holes in wool cloth.
Cats and dogs each hate the other.
Open the crate but don't break the glass.
There the flood mark is ten inches.
1234567890
CreateProcessA
StrCat
ASP.NET
kdjsfjf0j24r0j240r2j09j222
32897412389471982470
The past will look brighter tomorrow.
Cars and busses stalled in sand drifts.
The jacket hung on the back of the wide chair.
32908741328907498134712304814879837483274809123748913251236598123056231895712
----Debug----
[+] IDA return code = 0
> kordesii test Sample
Running test cases. May take a while...
1/1 - kordesii:Sample strings.exe 8.9183s
Test stats:
Top 10 Slowest Test Cases:
1. kordesii:Sample strings.exe 8.9183s
Top 10 Fastest Test Cases:
1. kordesii:Sample strings.exe 8.9183s
Mean Running Time: 8.9183s
Median Running Time: 8.9183s
Cumulative Running Time: 0:00:08.918259
Total Running Time: 0:00:09.480942
All Passed = True
see kordesii -h
for full set of options
REST API
The REST API provides two commonly used functions:
/run_decoder/<decoder>
-- executes a decoder on uploaded file/descriptions
-- provides list of available parsers
To use, first start the server by running:
> kordesii serve
The following curl commands demonstrate how to use this web service:
> curl --form data=@README.md http://localhost:8080/run_decoder/foo
> curl http://localhost:8080/descriptions
A simple HTML interface is also available at the same address. Individual samples can be submitted and results saved as JSON, plain text, or ZIP archives.
Logging
DC3-Kordesii uses Python's builtin in logging
module to log all messages.
By default, logging is configured using the log_config.yml configuration
file. Which is currently set to log all messages to the console and error messages to %LOCALAPPDATA%/kordesii/errors.log
.
You can provide your own custom log configuration file by adding the path
to the environment variable KORDESII_LOG_CFG
. (Please see Python's documentation for more information on how to write your own configuration file.)
You may also use the --verbose
or --debug
flags to adjust the logging level when using the kordesii
tool.
CPU Emulation
DC3-Kordesii includes an experimental tracing utility called function_tracing
that can be used to statically emulate
and trace instructions within a function.
Please see the CPU Emulation documentation for more information.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file kordesii-2.6.0.tar.gz
.
File metadata
- Download URL: kordesii-2.6.0.tar.gz
- Upload date:
- Size: 252.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/4.0.2 CPython/3.8.18
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | 7e31659d32cd0559babe631c54c470575be49e44d0e4c352392f560970dd825f |
|
MD5 | fade18ff0dc44f4b4c3c86d11455ab35 |
|
BLAKE2b-256 | f15461792905e370393934b7003c140de5b038cbcc12a84861560050200031b4 |
File details
Details for the file kordesii-2.6.0-py3-none-any.whl
.
File metadata
- Download URL: kordesii-2.6.0-py3-none-any.whl
- Upload date:
- Size: 264.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/4.0.2 CPython/3.8.18
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | 0860c0d8eb31e795f4ff9d1fb24a382489b3dfe7cb618fa62d520fba2877de8f |
|
MD5 | bd308a457fb99b02690cac194239472a |
|
BLAKE2b-256 | 34cba27d3b9eb28acec2633b61cf4f12a12b04091f0e65ae0246b94a1b9cb510 |