A static malware analysis library and tool developed using the disassembler-agnostic Dragodis.
Project description
Rugosa
Rugosa is a static malware analysis library and tool developed using the disassembler-agnostic dragodis API. It incorporates a binary emulation framework along with utilities for regex and YARA searching, string extraction, and function discovery within disassembled code. These features enhance capabilities for comprehensive malware analysis and metadata extraction.
Rugosa utilizes an in-house developed emulation engine entirely written in Python to achieve full control of the execution context and offer high-level abstractions for emulated artifacts. It adopts a targeted approach employing branch path tracing to emulate portions of code without the need to fully emulate preceding code or modify the binary to accommodate such control flow.
Currently, x86 and ARM processors are supported.
Install
pip install rugosa
You will also need to setup a backend disassembler by following Dragodis's installation instructions.
Utilities
The following utilities are included with Rugosa:
Configuration
All options are configurable through a settings.toml file. This file can be modified to configure Rugosa.
Rugosa looks for a user defined configuration file at either ~/.config/rugosa/settings.toml or %LOCALAPPDATA%\dc3\rugosa\settings.toml
to overwrite the default settings.
To view the current configuration run the following:
python -m rugosa.config list
To edit the configuration run the following to open the file in a text editor. (This will copy the default configuration into a user directory)
python -m rugosa.config edit
To create a new user configuration file without editing:
python -m rugosa.config create
We use Dynaconf which provides conveniences like setting configuration using environment variables
prefixed with RUGOSA_.
For example, to change the computer name used during emulation:
export RUGOSA_MACHINE__COMPUTER_NAME=BOB_PC # '__' to access nested field.
Interactive Shell
Rugosa includes an interactive shell created with cmd2 for emulating and traversing a given binary. For more information on how to use the tool, please see the documentation.
Emulator Plugin
Rugosa includes a IDA and Ghidra plugin which provides a GUI for using the emulation utility. For more information on how to install and use the plugin please see the documentation.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file rugosa-1.3.0.tar.gz.
File metadata
- Download URL: rugosa-1.3.0.tar.gz
- Upload date:
- Size: 157.3 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.15
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
221d2d7aafe696b56904c221084d9737b72293d5716afea30d6aff41541fa756
|
|
| MD5 |
6e6357f001e16ed6401ec182aa21217e
|
|
| BLAKE2b-256 |
d7ef3f4a9bfded25c612af6cd68b3002f25b4b94883b823a3eafa06e4b2c129c
|
File details
Details for the file rugosa-1.3.0-py3-none-any.whl.
File metadata
- Download URL: rugosa-1.3.0-py3-none-any.whl
- Upload date:
- Size: 184.7 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.15
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
27b9dfd2b808299c5efdf2c4a42805a1b3802bb1e325acddb251adb147cd79df
|
|
| MD5 |
659e4e90c1bcc1eda8e7040b7f31d2e0
|
|
| BLAKE2b-256 |
14db3f851e2012ed83c0357815b158438e98b6b4f1d6256de2a34c9276b091f1
|
