wip

Author: ex0dus-0x

Cargo.lock

@@ -1,6 +1,6 @@
 [package]
 name = "binsec"
-description = "Swiss Army Knife for Binary (In)Security"
+description = "Binary (In)Security tool"
 
 authors = ["ex0dus-0x <ex0dus@codemuch.tech>"]
 license = "MIT"
@@ -9,7 +9,7 @@ homepage = "https://github.com/ex0dus-0x/binsec"
 repository = "https://github.com/ex0dus-0x/binsec"
 readme = "README.md"
 
-version = "3.0.0"
+version = "3.1.0"
 edition = "2018"
 
 [profile.release]
@@ -22,7 +22,5 @@ goblin = "0.4.0"
 byte-unit = "4.0.10"
 chrono = "0.4"
 
-yara = "0.9.0"
-
 serde_json = "1.0"
 serde = { version = "1.0", features = ["derive"] }

Cargo.toml

@@ -9,18 +9,16 @@
 [crates-binsec-badge]: https://img.shields.io/crates/v/binsec.svg
 [crates-binsec]: https://crates.io/crates/binsec
 
-Swiss Army Knife for Binary (In)security
+Binary (In)security tool
 
-__binsec__ is a minimal static analysis utility for detecting security capabilities in ELF/PE/Mach-O executables. It's useful
-for reverse engineers and vulnerability researchers to gain quick and deeper insights into binary artifacts, 
-build fast detection pipelines, and improve overall binary analysis.
+__binsec__ is a minimal static analysis utility for detecting security capabilities in ELF/PE/Mach-O executables.
 
 ## Features
 
 * Cross-platform, supports robust checks for ELF/PE/Mach-Os while running on any host.
-* Backends [libgoblin](https://github.com/m4b/goblin) for efficient and cross-platform binary parsing.
-* JSON serializable for storage/logging consumption.
-* Small and ast: final release build is ~2.44Mb, with analysis done in 30ms.
+* Backends [libgoblin](https://github.com/m4b/goblin) for binary parsing
+* JSON serialization
+* Small release builds at ~2.44Mb, with analysis done in 30ms.
 
 ### Static Analysis Checks
 
@@ -29,7 +27,6 @@ The project currently supports static detection for a variety of executable chec
 * __Compilation Features__ - insights about how the executable was compiled, and runtimes used in that process.
 * __Exploit Mitigations__ - OS-supported binary hardening features used to limit exploitation and priviledge escalation.
 * __Dynamic Instrumentation__ - detects any known instrumentation frameworks used for dynamic analysis and/or profiling.
-* __Anti-Analysis (WIP)__ - noticeable anti-analysis checks employed to mitigate reverse engineering.
 
 ## Usage
 

README.md

@@ -26,7 +26,7 @@ use crate::rules;
 const GLIBC: &str = "GLIBC_2.";
 
 impl Analyze for Elf<'_> {
-    fn run_compilation_checks(&self, bytes: &[u8]) -> BinResult<GenericMap> {
+    fn compilation(&self, bytes: &[u8]) -> BinResult<GenericMap> {
         let mut comp_map: GenericMap = GenericMap::new();
 
         // supported: shared object (pie exec or .so) or executable
@@ -72,7 +72,7 @@ impl Analyze for Elf<'_> {
         Ok(comp_map)
     }
 
-    fn run_mitigation_checks(&self) -> GenericMap {
+    fn mitigations(&self) -> GenericMap {
         let mut mitigate_map: GenericMap = GenericMap::new();
 
         // features we are checking for
@@ -120,6 +120,8 @@ impl Analyze for Elf<'_> {
             if let Some(Ok(symbol)) = _symbol {
                 if symbol == "__stack_chk_fail" {
                     stack_canary = true;
+                
+                // TODO: make tighter
                 } else if symbol.ends_with("_chk") {
                     fortify_source = true;
                 }
@@ -129,4 +131,31 @@ impl Analyze for Elf<'_> {
         mitigate_map.insert("FORTIFY_SOURCE".to_string(), json!(fortify_source));
         mitigate_map
     }
+
+    fn instrumentation(&self) -> Option<GenericMap> {
+        let mut instr_map: GenericMap = GenericMap::new();
+        for _sym in self.syms.iter() {
+            let _symbol = self.strtab.get(_sym.st_name);
+            if let Some(Ok(symbol)) = _symbol {
+
+                // /__ubsan\w+\d+/
+                if symbol.starts_with("__ubsan") {
+                    instr_map.insert("Address Sanitizer (ASAN)".to_string(), json!(true));
+                
+                // /_ZN\w+__asan\w+\d+/
+                } else if symbol.starts_with("__asan") {
+                    instr_map.insert("Undefined Behavior Sanitizer (UBSAN)".to_string(), json!(true));
+                
+                // /__afl\w+\d+/
+                } else if symbol.starts_with("__afl") {
+                    instr_map.insert("AFL Instrumentation".to_string(), json!(true));
+                
+                // /__llvm\w+\d+/
+                } else if symbol.starts_with("__llvm") {
+                    instr_map.insert("LLVM Code Coverage".to_string(), json!(true));
+                }
+            }
+        }
+        unimplemented!();
+    }
 }

src/check/elf.rs

@@ -16,11 +16,11 @@ const MH_ALLOW_STACK_EXECUTION: u32 = 0x20000;
 const MH_NO_HEAP_EXECUTION: u32 = 0x1000000;
 
 impl Analyze for MachO<'_> {
-    fn run_compilation_checks(&self, _bytes: &[u8]) -> BinResult<GenericMap> {
+    fn compilation(&self, _bytes: &[u8]) -> BinResult<GenericMap> {
         todo!()
     }
 
-    fn run_mitigation_checks(&self) -> GenericMap {
+    fn mitigations(&self) -> GenericMap {
         let mut mitigate_map: GenericMap = GenericMap::new();
 
         let nx_stack: bool = matches!(self.header.flags & MH_ALLOW_STACK_EXECUTION, 0);
@@ -59,4 +59,8 @@ impl Analyze for MachO<'_> {
         mitigate_map.insert("__RESTRICT segment".to_string(), json!(restrict));
         mitigate_map
     }
+
+    fn instrumentation(&self) -> Option<GenericMap> {
+        unimplemented!();
+    }
 }

src/check/mach.rs

@@ -2,7 +2,7 @@ pub mod elf;
 pub mod mach;
 pub mod pe;
 
-use yara::{Compiler, MetadataValue};
+//use yara::{Compiler, MetadataValue};
 
 use crate::errors::BinResult;
 use crate::rules::UNIVERSAL_COMPILER_RULES;
@@ -14,6 +14,7 @@ pub type GenericMap = std::collections::BTreeMap<String, serde_json::Value>;
 /// reusable functions for parsing out features and doing static analysis.
 pub trait Analyze {
     fn detect_compiler_runtime(&self, os_specific: &str, bytes: &[u8]) -> BinResult<String> {
+        /*
         // initialize with universal compiler runtime rules first, then add os_specific ones
         let mut compiler = Compiler::new()?;
         compiler.add_rules_str(UNIVERSAL_COMPILER_RULES)?;
@@ -30,10 +31,12 @@ pub trait Analyze {
             Ok(name.to_string())
         } else {
             Ok("N/A".to_string())
-        }
+        }*/
+        Ok("N/A".to_string())
     }
 
     /// To be implemented for each specific binary format
-    fn run_compilation_checks(&self, bytes: &[u8]) -> BinResult<GenericMap>;
-    fn run_mitigation_checks(&self) -> GenericMap;
+    fn compilation(&self, bytes: &[u8]) -> BinResult<GenericMap>;
+    fn mitigations(&self) -> GenericMap;
+    fn instrumentation(&self) -> Option<GenericMap>;
 }

src/check/mod.rs

@@ -21,7 +21,7 @@ use crate::errors::BinResult;
 use crate::rules;
 
 impl Analyze for PE<'_> {
-    fn run_compilation_checks(&self, bytes: &[u8]) -> BinResult<GenericMap> {
+    fn compilation(&self, bytes: &[u8]) -> BinResult<GenericMap> {
         let mut comp_map = GenericMap::new();
 
         // supported: DLL or EXE
@@ -44,7 +44,7 @@ impl Analyze for PE<'_> {
         Ok(comp_map)
     }
 
-    fn run_mitigation_checks(&self) -> GenericMap {
+    fn mitigations(&self) -> GenericMap {
         let mut mitigation_checks: GenericMap = GenericMap::new();
 
         if let Some(optional_header) = self.header.optional_header {
@@ -89,4 +89,8 @@ impl Analyze for PE<'_> {
         }
         mitigation_checks
     }
+
+    fn instrumentation(&self) -> Option<GenericMap> {
+        unimplemented!();
+    }
 }

src/check/pe.rs

@@ -9,8 +9,6 @@ use crate::rules;
 use goblin::mach::Mach;
 use goblin::Object;
 
-use yara::Compiler;
-
 use byte_unit::Byte;
 use chrono::prelude::*;
 use serde_json::{json, Value};
@@ -25,7 +23,6 @@ pub struct Detector {
     compilation: GenericMap,
     mitigations: GenericMap,
     instrumentation: Option<GenericMap>,
-    //anti_analysis: AntiAnalysis,
 }
 
 impl Detector {
@@ -56,9 +53,6 @@ impl Detector {
         // read raw binary from path
         let data: Vec<u8> = std::fs::read(&binpath)?;
 
-        // detect presence of dynamic instrumentation frameworks
-        let instrumentation = Detector::detect_instrumentation(&data)?;
-
         // parse executable as format and run format-specific mitigation checks
         match Object::parse(&data)? {
             Object::Elf(elf) => Ok(Self {
@@ -76,9 +70,9 @@ impl Detector {
                     basic_map.insert("Entry Point Address".to_string(), json!(entry_point));
                     basic_map
                 },
-                compilation: elf.run_compilation_checks(&data)?,
-                mitigations: elf.run_mitigation_checks(),
-                instrumentation,
+                compilation: elf.compilation(&data)?,
+                mitigations: elf.mitigations(),
+                instrumentation: elf.instrumentation(),
             }),
             Object::PE(pe) => Ok(Self {
                 basic: {
@@ -97,48 +91,23 @@ impl Detector {
                     basic_map.insert("Entry Point Address".to_string(), json!(entry_point));
                     basic_map
                 },
-                compilation: pe.run_compilation_checks(&data)?,
-                mitigations: pe.run_mitigation_checks(),
-                instrumentation,
+                compilation: pe.compilation(&data)?,
+                mitigations: pe.mitigations(),
+                instrumentation: None,
             }),
             Object::Mach(Mach::Binary(mach)) => Ok(Self {
                 basic: {
                     basic_map.insert("Binary Format".to_string(), json!("Mach-O"));
                     basic_map
                 },
-                compilation: mach.run_compilation_checks(&data)?,
-                mitigations: mach.run_mitigation_checks(),
-                instrumentation,
+                compilation: mach.compilation(&data)?,
+                mitigations: mach.mitigations(),
+                instrumentation: None,
             }),
             _ => Err(BinError::new("unsupported filetype for analysis")),
         }
     }
 
-    #[inline]
-    fn detect_instrumentation(data: &[u8]) -> BinResult<Option<GenericMap>> {
-        use yara::MetadataValue;
-
-        // execute YARA rules for instrumentation frameworks
-        let mut compiler = Compiler::new()?;
-        compiler.add_rules_str(rules::INSTRUMENTATION_RULES)?;
-        let rules = compiler.compile_rules()?;
-
-        // parse out matches into genericmap
-        let inst_matches = rules.scan_mem(&data, 5)?;
-        let mut instrumentation = GenericMap::new();
-        for rule in inst_matches.iter() {
-            if let MetadataValue::String(name) = rule.metadatas[0].value {
-                instrumentation.insert(String::from(name), json!(true));
-            }
-        }
-
-        if instrumentation.is_empty() {
-            Ok(None)
-        } else {
-            Ok(Some(instrumentation))
-        }
-    }
-
     /// Output all the finalized report collected on the specific executable, writing to
     /// JSON path if specificed not as `-`.
     pub fn output(&self, json: Option<&str>) -> serde_json::Result<()> {

src/detect.rs

@@ -37,17 +37,4 @@ impl From<serde_json::Error> for BinError {
     }
 }
 
-impl From<yara::Error> for BinError {
-    fn from(error: yara::Error) -> Self {
-        Self(error.to_string())
-    }
-}
-
-// not sure why there are two error types
-impl From<yara::YaraError> for BinError {
-    fn from(error: yara::YaraError) -> Self {
-        Self(error.to_string())
-    }
-}
-
 impl Error for BinError {}

src/errors.rs

@@ -23,24 +23,14 @@ fn parse_args<'a>() -> ArgMatches<'a> {
     App::new(env!("CARGO_PKG_NAME"))
         .version(env!("CARGO_PKG_VERSION"))
         .author("ex0dus <ex0dus at codemuch.tech>")
-        .about("Swiss Army Knife for Binary (In)security")
+        .about("Binary (In)security tool")
         .setting(AppSettings::ArgRequiredElseHelp)
         .arg(
             Arg::with_name("BINARY")
                 .help("Path to binary or binaries to analyze.")
                 .takes_value(true)
                 .required(true),
         )
-        /*
-        .arg(
-            Arg::with_name("info")
-                .help("Given a tag, get more information about a specific mitigation.")
-                .short("i")
-                .long("info")
-                .takes_value(true)
-                .required(false),
-        )
-        */
         .arg(
             Arg::with_name("json")
                 .help("Output results in JSON. Use - for stdout.")

src/main.rs

@@ -1,44 +1,3 @@
-//! YARA rules to apply against all binary formats. We use this rather than parsing through the
-//! executable format through libgoblin to cut out implementing repetition for each format.
-
-pub const INSTRUMENTATION_RULES: &str = r#"
-    rule afl {
-        meta:
-            name = "AFL Instrumentation"
-        strings:
-            $afl = /__afl\w+\d+/
-        condition:
-            any of them
-    }
-
-    rule asan {
-        meta:
-            name = "Address Sanitizer (ASan)"
-        strings:
-            $asan = /_ZN\w+__asan\w+\d+/
-        condition:
-            any of them
-    }
-
-    rule ubsan {
-        meta:
-            name = "Undefined Behavior Sanitizer (UBsan)"
-        strings:
-            $ubsan = /__ubsan\w+\d+/
-        condition:
-            any of them
-    }
-
-    rule llvm {
-        meta:
-            name = "LLVM Code Coverage"
-        strings:
-            $llvm = /__llvm\w+\d+/
-        condition:
-            any of them
-    }
-"#;
-
 pub const UNIVERSAL_COMPILER_RULES: &str = r#"
     rule rust {
         meta: