Binary Ninja

Sample bazaar.abuse.ch — aa1b1384dbf123607f6f63132f355e7486ccd67a0e03d3af2db40a333b70797b from pathlib import Path WORKING_DIR = Path('/path/to/rhadamanthys/') SAMPLE_PATH = WORKING_DIR.joinpath('aa1b1384dbf123607f6f63132f355e7486ccd67a0e03d3af2db40a333b70797b.exe') DB_PATH = WORKING_DIR.joinpath('rdm-testing.bndb') view = binaryninja.open_view(SAMPLE_PATH) view.create_database(DB_PATH) Helpers # Search type libraries for matching name, return prototype. def search_type_libraries(fname: str, view: BinaryView): # not super efficient to search every single time... for typelib in view.type_libraries: for name, obj in typelib.named_objects.items(): if not isinstance(obj, FunctionType): continue if fname == name: return obj def name_and_type_next_data_var(view: BinaryView, v: Variable, address: int, name: str, new_type: Type): mlil = view.get_functions_containing(address)[0].mlil for op in mlil.get_var_uses(v): if isinstance(op, MediumLevelILStore) and isinstance(op.dest, MediumLevelILConstPtr): data_var = view.get_data_var_at(op.dest.constant) data_var.name = name data_var.type = new_type Adding a type library: ...

Static Emotet Configuration Extraction The goal here is to reproduce this technique from VMRay’s post using Binary Ninja. This post from Open Analysis was also very helpful. With those posts as the foundation I was able to focus on the Binary Ninja API. This turned out to be much easier than anticipated, Binary Ninja’s High Level Intermediate Language did most of the work once I figured out how to access it. Sample used: c688e079a16b3345c83a285ac2ae8dd48680298085421c225680f26ceae73eb7 ...