CodeHawk Binary Analyzer for malware analysis and general reverse engineering
This repository contains the command-line interface (in python) to run the CodeHawk Binary Analyzer and report its results. The command-line interface can be invoked as follows (adjust paths for actual location):
> export PYTHONPATH=$HOME/CodeHawk-Binary > export PATH=$HOME/CodeHawk-Binary/chb/cmdline:$PATH > chkx
This will show an overview of the commands available.
At present the analyzer supports x86 (32-bits), both ELF and PE32, mips32, and arm32 (both ARM and Thumb-2) binaries (ELF only); arm32 is stil under active development and thus somewhat experimental.
The command-line interface requires python3.5 or higher. The analyzer requires a Java runtime environment.
Build instructions for the CodeHawk Binary Analyzer are available
Upon completion copy the analyzer,
chx86_analyze, from the
directory to the appropriate directory in
chb/bin/binaries, or point the Config.py
(or ConfigLocal.py) in
chb/util/ to its location. You can check the configuration
> chkx info Analyzer configuration: ----------------------- analyzer : /home/myname/codehawk/CodeHawk/CHB/bchcmdline/chx86_analyze (found) summaries: /home/myname/codehawk/CodeHawk/CHB/bchsummaries/bchsummaries.jar (found)
and check whether it works correctly by running some tests:
> chkx test runall --ok-- arm32 elf suite_001 test_001 --ok-- x86 elf suite_001 test_001 --ok-- x86 elf suite_001 test_002 --ok-- x86 elf suite_001 test_003 --ok-- x86 elf suite_001 test_004 --ok-- x86 elf suite_001 test_005 --ok-- x86 pe suite_001 test_001.exe --ok-- x86 pe suite_001 test_002.exe --ok-- x86 pe suite_001 test_003.exe --ok-- x86 pe suite_001 test_004.exe --ok-- x86 pe suite_001 test_005.exe All 11 tests passed.
> cd > git clone https://github.com/static-analyis-engineering/CodeHawk-Binary.git > export PYTHONPATH=$HOME/CodeHawk-Binary > export PATH=$HOME/CodeHawk-Binary/chb/cmdline:$PATH >
To disassmble an x86, arm32, or mips32 executable:
> chkx analyze -d mybinary ...
This will show some statistics on the disassembly, but will not perform any analysis. It usually is a good first step, especially if the the binary is large, to check if disassembly succeeded. If this looks okay, analysis can be performed with (use --reset to remove any previous intermediate results):
> chkx analyze mybinary --reset .... > chkx results stats mybinary
The following commands are available to see more detailed results:
results stats <xname> output a summary of results with one line per function results functions <xname> ... output a listing of annotated assembly functions results function <xname> <fn> output a listing of a single annotated assembly function results cfg <xname> <fn> ... produce a control flow graph for a function (in pdf) results cfgpaths <xname> <fn> ... find paths throug a cfg with a given target results appcalls <xname> output a listing of application calls results dllcalls <xname> output a listing of dll calls (PE32 only) results stringargs <xname> output a listing of calls with string arguments results iocs <xname> output a listing of indicators of compromise encountered
Finally, it is usually a good idea to reset the analysis results when re-analyzing a binary that was analyzed before:
> chkx analyze mybinary --reset
to avoid inconsistent intermediate results.