|
Nyxelf is a powerful tool for analyzing malicious Linux ELF binaries, offering both static and dynamic analysis. It combines tools like |
-
Static Analysis:
- Inspect ELF headers, sections, and symbols.
- Decode assembly and variable data.
- Analyze suspicious imports which can be related to anti-debugging.
-
Dynamic Analysis:
- Run binaries in a secure QEMU-based sandbox.
- Record process activity, syscalls, and file interactions with
strace. - Supports custom verbosity for syscall tracing.
-
Decompilation:
- Decompiles binary to Assembly and C like pseudocode using
capstoneandangr. - Tries to retrive variable data from
.rodataand.datasections. - Uses
highlightjsCDNs for syntax highlighting.
- Decompiles binary to Assembly and C like pseudocode using
-
Other Features:
- Optional automatic UPX unpacking.
- JSON output for automated workflows.
- Adjustable syscall trace verbosity and string length filtering.
Note
JSON files and other logs are saved to /data, while the file-system and kernel image is saved to /sandbox.
Install required packages: Ensure you have python3 and python-pip installed and set to path and run the following commands,
sudo apt install qemu-kvm libvirt-daemon-system libvirt-clients bridge-utils virt-manager e2tools -y
git clone https://github.com/m3rcurylake/nyxelf.git
cd nyxelf && pip install -r requirements.txtAfter everything is completely installed, you can run Nyxelf as following:
python3 nyxelf.py --helpTo start analysing binaries, refer to the following help menu, or move to the project directory and type python nyxelf.py --file FILE in the terminal for a quick start, where FILE is the target binary. The output will be displayed in a new pywebview GUI window.
python nyxelf.py [-h] [--unpack] [--json] --file FILE [--short] [--length LENGTH]
_____ ___ ___ ___ ___ ___ _______ ___ _______
(" \|" \ |" \/" | |" \/" | /" "| |" | /" "|
|.\\ \ | \ \ / \ \ / (: ______) || | (: ______)
|: \. \\ | \\ \/ \\ \/ \/ | |: | \/ |
|. \ \. | / / /\. \ // ___)_ \ |___ // ___)
| \ \ | / / / \ \ (: "| ( \_|: \ (: (
\___|\____\) |___/ |___/\___| \_______) \_______) \__/
[Another ELF Analysis Framework]
options:
-h, --help show this help message and exit
--unpack Attempt to unpack UPX file before analysis.
--json Save JSON output of the analysis.
--file FILE Path to the file to be analyzed.
--short Use short trace output (hides args and reduces verbosity).
--length LENGTH Maximum length of ASCII strings in strace output.
Nyxelf simplifies static and dynamic analysis of ELF binaries,
enabling you to extract valuable insights effortlessly.
And can be used for vulnerability assessments, unpacking,
syscall tracing, and memory analysis.
Examples:
Analyze an ELF file statically and dynamically:
python3 nyxelf.py --file path/example.elf --json --unpack
Perform a detailed syscall trace with reduced verbosity:
python3 nyxelf.py --file path/example.elf --short --length 1024
Happy analyzing!
[&] https://github.com/m3rcurylake
[&] By Ankit Mukherjee
Nyxelf/
├── data
│ └── readme.md
├── frontend
│ ├── assets
│ │ ├── BebasNeue-Regular.ttf
│ │ └── Nunito-Regular.ttf
│ └── styles
│ ├── disassembly.css
│ └── static.css
├── LICENSE
├── nyxelf.py
├── README.md
├── requirements.txt
├── sandbox
│ ├── bzImage
│ └── rootfs.ext2
└── src
├── constructor.py
├── __init__.py
├── modules
│ ├── anti_debug_apis.py
│ ├── decompile.py
│ ├── __init__.py
│ ├── __main__.py
│ ├── packer_detection.py
│ ├── pseudocode.py
│ ├── section_entropy.py
│ └── variables.py
├── sandbox.py
├── static_analysis.py
└── trace_parser.py
- Decompiler and Disassembler Support
- Network Analysis
- Better UI and Optimisation
- Anti anti-debugging for ptrace etc.
- Detect Pyinstaller files
- Add Effective Logging
This project is licensed under the MIT License - see the LICENSE.md file for details.