-
-
Notifications
You must be signed in to change notification settings - Fork 171
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Refactoring (step up module architecture, establish central location for common functionality, cleanup linux analyzer) #58
base: master
Are you sure you want to change the base?
Conversation
Hello @CYB3RMX, I just need a yes/no from you for now on whether you're ok with my current trajectory so I can keep the changes coming. If not, let me know and I'll try to adjust. |
Hello @luis261 ! Thank you for your work and support. I think this architecture will make the project's codebase more understandable and maintainable. I am also considering adjusting the codebase to make packaging this project easier for future processes. |
Hi @CYB3RMX (: I'm excited to hear that! 🚀 I'll continue my work tomorrow and probably ping you in a few days when I've built up some more substantial changes (having the ability to import shared functionality definitely enables me to do that) |
Hello again @luis261 ! When I was checking your changes, the code threw these errors. Could you please also try to run program after your changes? |
Hi @CYB3RMX, thank your for making the effort and trying to test the changes already! Let me work on some other changes first, I already know the cause of the issue you're talking about. This issue is related to us running the modules via |
I'm currently working on refactoring the linux analyzer as part of this overall change. Just a small question only indirectly related to the refactoring: why do you consider it "bad" to have an NX bit? Qu1cksc0pe/Modules/linAnalyzer.py Line 167 in 7319b9f
|
I added this feature to check if the target sample has binary protections such as NX or PIE. |
Yes, I understand the point of the feature, I just don't get why we currently print "True" in bold red if NX is present, since it's a positive feature which increases security? Shouldn't it be green? I guess it's not that important, I'll address that point in a separate PR after the refactoring |
I thought that if the malware sample has some binary protections, it wouldn't be good for us. By the way, did you run the program after your changes? |
The way I understood, having an NX bit is probably good overall and shouldn't affect the binary instrumentation process? https://ctf101.org/binary-exploitation/no-execute/ But I'm not sure, you know more about analysis than me and I guess it makes sense for it to remain as is. Regarding the state of the program: yes, I did run it, although I don't have a great testing setup for Linux right now. I'm still working on refactoring the linux analyzer overall, to show you an example of what a refactored module could look like. I think I'll get that done today/tomorrow. After that, I'll fix the overall import situation (a simple, albeit annoying fix, because I'll need to modify the line in every module again) |
Yes, I know. I appreciate you trying to run it already, but currently there is no sense in trying that though. This branch will still be unstable until at least tomorrow. I will ping you though once it's ready ok? |
Okay no problem. Thank you :) |
You're welcome, I like working on this project (: Thank you for your patience and ongoing support! |
Just pushed a few more commits. Still not ready. Making some progress though, the linux analyzer specific part of the refactoring is almost done now. |
In case you're reading this soon: please continue to ignore my changes for now. But it'll be ready soon, I'll probably keep working and move this out of the draft state before sunrise (we're in a similar timezone). Until then, I still have to:
|
Hello @luis261 ! I checked your changes and tried to perform a scan against a simple Linux sample. Everything worked properly in this case. After that, I installed Qu1cksc0pe on my system using the I think we should also do something for the utility/helper modules. We can import them from the |
Hello @CYB3RMX (: thank you for your comprehensive testing, good finding, I'll look into it right away! |
ok, so at first glance, I don't think I understand the installation process. you copy the Qu1cksc0pe/Modules/installer.sh Line 59 in e11dfe4
but the |
Oh ok I understand now, it works via a config file: Line 78 in e11dfe4
That makes things a lot more complicated import-wise. I'll have to see if I can work something out this evening. But I don't think I can make it work without also copying the |
Okay man :) Feel free to ask |
Thank you mate, I'll try to figure sth out once I'm off the clock and then present you with a list of options tonight/tomorrow (: |
ok, so here's my current understanding of the install mechanism (Linux only, not taking Docker into account):
This means for a full Qu1cksc0pe installation running on Linux, the intended entrypoint is The problem here is that the entrypoint under Based on this understanding, here are the options, odered by rising complexity/disruptiveness to the current way of doing things:
I suggest we go with option 2, but let me know what you think please. Then I can implement the chosen option (: |
…s directory to path
actually I took the liberty of just implementing the 2nd option already, that way you can see what I mean and if you're ok with the solution we can finally get this done (: |
Exactly. The second option seems more logical. By the way, while adding updates, make sure to consider the |
Awesome, thanks for the swift feedback 🤗 yes, I'll keep this projects ways of performing installation in mind for future changes. |
Absolutely. But our priority should always be ensuring that the program runs smoothly. This way, people using the program won't experience any issues :) |
That's true for sure, but I'm not sure I get what you're trying to say: do you mean just in general or is there something else I need to consider regarding this specific PR before we can hopefully get it merged? |
What I mean is that we can approve the PR once we are sure everything is working correctly. |
That makes sense (: Do you think you could run it again with the |
Alright. Send your changes so we can test them. If there are no problems, we'll complete the PR :) |
Awesome, thank you so much 🙏 I already pushed and committed ba52c65bf9e6a2d1fd2ab56e6457437b57f0267e this morning. That small change already constitutes the implementation of option 2, thus hopefully solving our problem (: |
Hello @luis261 ! I checked your code, and it seems to be working properly (LinuxAnalyzer module). I also need to check the other modules. Note: I checked the That one is for the Windows side: I think we should add a default value for the report section |
@CYB3RMX thank you so much for your effort and attention to detail! Good to know the current status, I'm glad to hear that at least the actual analysis internals of the linux analyzer are stable again (: As for the report issue when executing the module directly: yes, that's on me, careless mistake to access that index without a prior check, here's the situation:
def analyze(self, indicators_by_category, emit_report=False):
... |
I'm a bit disappointed (in myself) regarding the integration changes and delay this refactoring is causing. This means the risk for upcoming changes will be more predictable/of smaller impact or scope. For now, there was no way to address some points of improvement without affecting all modules though. |
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
Sorry about the earlier information overload, I investigated this further in the meantime, here are the facts, as compact as I can manage:
Overall, we should be fine now. Again though, these IndexErrors weren't introduced by my refactoring, as evidenced by: https://github.com/CYB3RMX/Qu1cksc0pe/blob/master/Modules/winAnalyzer.py#L643 (main branch)
Qu1cksc0pe>git grep "sys.argv\[" | python txtfilter.py -x Modules/utils.py file get_argv
Modules/VTwrapper.py: apikey = str(sys.argv[1]) Modules/andro_familydetect.py:targetApk = sys.argv[1] Modules/apkAnalyzer.py:targetAPK = sys.argv[1] Modules/apkAnalyzer.py: if sys.argv[3] == "JAR": Modules/apkAnalyzer.py: if sys.argv[3] == "DEX": Modules/apkAnalyzer.py: if sys.argv[2] == "True": Modules/email_analyzer.py:target_eml = sys.argv[1] Modules/hashScanner.py: if str(sys.argv[1]) == '--db_update': Modules/hashScanner.py: if str(sys.argv[2]) == '--normal': Modules/packerAnalyzer.py: if str(sys.argv[1]) == '--single': Modules/packerAnalyzer.py: elif str(sys.argv[1]) == '--multiscan': Modules/pcap_analyzer.py:target_pcap = sys.argv[1] Modules/powershell_analyzer.py:target_pwsh = sys.argv[1] Modules/windows_dynamic_analyzer.py:target_pid = int(sys.argv[1]) |
No problem, man. I just meant to say let's come up with a solution for this too. |
Yes, thank you my friend (: My most recent changes should fix the issues you found 🤞 |
Module excecution improvements (for now only applied to the linux analyzer, other modules will be modified in dedicated PRs):
import
run
: a function that takes in all required arguments as parameters, which would otherwise be provided viasys.argv
if running the module directly in a shell (instead of inside Python viaimport
)main
: a function which wraps aroundrun
, executing it withsys.argv
inputmain
function if__name__ == "__main__"
qu1cksc0pe.py
, we can then import modules as required without the need for subshells/os commands (if they need input, we pass it via<modulename>.run
).path_handler
tempfile (instead, we just pass any such needed information to a given module via a parameter of its localrun
function)Note
changes below were already communicated/agreed upon previously:
Conversion of Modules directory into a Python package
Having had enough experience myself with Python's quirky import system, I think I have some understanding for why it might be preferable to avoid dealing with it in some circumstances. Can you tell me the specific reasons though why you execute modules via
os.system
instead of staying inside a single Python interpreter instance if there are any?If you're ok with it, I'll slowly move us towards staying inside a single Python instance by leveraging
import
statements instead of invoking modules directly via the operating system, since I think the advantages outweigh/justify using the established import system:os.system
every time we execute a module is more expensive in terms of overhead instead of simply importing into the current Python thread)ideally we would rename the directory to be lowercase as part of this change to conform to Python module naming conventions .. I held off on it for now, since it's not strictly necessary and I'm unsure of the implications in terms of the other locations we'd have to adjust
Extraction of utility function previously strictly local to main module into separate module