SandAnalyze

Added Android debug

classes/Android.py

@@ -1,4 +1,4 @@
-import platform, unittest
+import platform, unittest, shutil, os
 from collections import defaultdict
 from qiling import Qiling
 from qiling.os.mapper import QlFsMappedObject
@@ -26,39 +26,65 @@ def my_syscall_close(ql: Qiling, fd: int) -> int:
     return syscall.ql_syscall_close(ql, fd)
 
 OVERRIDES = {'mmap_address': 0x68000000}
+env = {
+    'ANDROID_DATA': r'/data',
+    'ANDROID_ROOT': r'/system'
+    }
 
 
 class TestAndroid(unittest.TestCase):
     @unittest.skipUnless(platform.system() == 'Linux', 'run only on Linux')
-    def test_android_arm64(self):
-        test_binary = "examples/rootfs/arm64_android6.0/bin/arm64_android_jniart"
-        rootfs = "examples/rootfs/arm64_android6.0"
-        env = {
-            'ANDROID_DATA': r'/data',
-            'ANDROID_ROOT': r'/system'
-        }
-
-        ql = Qiling([test_binary], rootfs, env, profile={'OS64': OVERRIDES}, multithread=True)
+    def test_android_arm64(exeloc):
+        if os.path.exists("examples/rootfs/arm64_android6/bin") is False:
+            os.mkdir("examples/rootfs/arm64_android6/bin")
+
+        shutil.copyfile("exefiles/" + exeloc, "examples/rootfs/arm64_android6/bin/" + exeloc)
 
+        ql = Qiling(["examples/rootfs/arm64_android6/bin/" + exeloc], "examples/rootfs/arm64_android6", env, profile={'OS64': OVERRIDES}, multithread=True)
         ql.os.set_syscall("close", my_syscall_close)
         ql.add_fs_mapper("/proc/self/task/2000/maps", Fake_maps(ql))
         ql.run()
+        del ql
+
+    @unittest.skipUnless(platform.system() == 'Linux', 'run only on Linux')
+    def debug_android_arm64(exeloc, debugger):
+        if os.path.exists("examples/rootfs/arm64_android6/bin") is False:
+            os.mkdir("examples/rootfs/arm64_android6/bin")
+
+        shutil.copyfile("exefiles/" + exeloc, "examples/rootfs/arm64_android6/bin/" + exeloc)
 
+        ql = Qiling(["examples/rootfs/arm64_android6/bin/" + exeloc], "examples/rootfs/arm64_android6", env, profile={'OS64': OVERRIDES}, multithread=True)
+        ql.os.set_syscall("close", my_syscall_close)
+        ql.add_fs_mapper("/proc/self/task/2000/maps", Fake_maps(ql))
+        ql.debugger = str(debugger)
+        ql.run()
         del ql
 
     @unittest.skipUnless(platform.system() == 'Linux', 'run only on Linux')
-    def test_android_arm(self):
-        test_binary = "examples/rootfs/arm64_android6.0/bin/arm_android_jniart"
-        rootfs = "examples/rootfs/arm64_android6.0"
-        env = {
-            'ANDROID_DATA': r'/data',
-            'ANDROID_ROOT': r'/system'
-        }
+    def debug_android_arm(exeloc, debugger):
 
-        ql = Qiling([test_binary], rootfs, env, profile={'OS32': OVERRIDES}, multithread=True)
+        if os.path.exists("examples/rootfs/arm64_android6/bin") is False:
+            os.mkdir("examples/rootfs/arm64_android6/bin")
+
+        shutil.copyfile("exefiles/" + exeloc, "examples/rootfs/arm64_android6/bin/" + exeloc)
 
+        ql = Qiling(["examples/rootfs/arm64_android6/bin/" + exeloc], "examples/rootfs/arm64_android6", env, profile={'OS32': OVERRIDES}, multithread=True)
         ql.os.set_syscall("close", my_syscall_close)
         ql.add_fs_mapper("/proc/self/task/2000/maps", Fake_maps(ql))
+        ql.debugger = str(debugger)
         ql.run()
+        del ql
+
+    @unittest.skipUnless(platform.system() == 'Linux', 'run only on Linux')
+    def test_android_arm(exeloc):
+
+        if os.path.exists("examples/rootfs/arm64_android6/bin") is False:
+            os.mkdir("examples/rootfs/arm64_android6/bin")
+
+        shutil.copyfile("exefiles/" + exeloc, "examples/rootfs/arm64_android6/bin/" + exeloc)
 
+        ql = Qiling(["examples/rootfs/arm64_android6/bin/" + exeloc], "examples/rootfs/arm64_android6", env, profile={'OS32': OVERRIDES}, multithread=True)
+        ql.os.set_syscall("close", my_syscall_close)
+        ql.add_fs_mapper("/proc/self/task/2000/maps", Fake_maps(ql))
+        ql.run()
         del ql

classes/Windows_X86_64.py

@@ -5,7 +5,6 @@
 from capstone import *
 from qiling.const import QL_VERBOSE
 from qiling.os.mapper import QlFsMappedObject
-from qiling.extensions import trace
 
 
 class Fake_Drive(QlFsMappedObject):
@@ -65,7 +64,7 @@ def wannacry_hunter(path, rootfs = "examples/rootfs/x8664_windows", memloc = 0x4
             return False
 
     # Anaylzer for Windows
-    def windisk_analyze(binfile, driveid, rootfs = "examples/rootfs/x8664_windows"):
+    def windisk_analyze(binfile, driveid = 0, rootfs = "examples/rootfs/x8664_windows"):
         ql = Qiling(r"" + binfile, r"" + rootfs, verbose=QL_VERBOSE.DEBUG)
         ql.add_fs_mapper(r"\\.\PHYSICALDRIVE" + int(driveid) + "", Fake_Drive())
         ql.run(timeout=5000)
@@ -92,11 +91,11 @@ def sandbox_analyze(exeloc, debugger):
                 QilingSandBox_Windows_x86_64.my_sandbox_nodebugger(["examples/rootfs/x8664_windows/bin/" + exeloc], QL_ARCH.X8664, "examples/rootfs/x8664_windows")
             else:
                 # Create folder if was not created
-                if os.path.exists("examples/rootfs/x86_windows/bin") is False:
-                    os.mkdir("examples/rootfs/x86_windows/bin")
+                if os.path.exists("examples/rootfs/x8664_windows/bin") is False:
+                    os.mkdir("examples/rootfs/x8664_windows/bin")
 
-                shutil.copyfile("exefiles/" + exeloc, "examples/rootfs/x86_windows/bin/" + exeloc)
-                QilingSandBox_Windows_x86_64.my_sandbox_nodebugger(["examples/rootfs/x86_windows/bin/" + exeloc], QL_ARCH.X86, "examples/rootfs/x86_windows")
+                shutil.copyfile("exefiles/" + exeloc, "examples/rootfs/x8664_windows/bin/" + exeloc)
+                QilingSandBox_Windows_x86_64.my_sandbox_nodebugger(["examples/rootfs/x8664_windows/bin/" + exeloc], QL_ARCH.X86, "examples/rootfs/x8664_windows")
         else:
             if(arch == "64"):
                 # Create folder if was not created
@@ -107,8 +106,8 @@ def sandbox_analyze(exeloc, debugger):
                 QilingSandBox_Windows_x86_64.my_sandbox(["examples/rootfs/x8664_windows/bin/" + exeloc], QL_ARCH.X8664, "examples/rootfs/x8664_windows", debugger)
             else:
                 # Create folder if was not created
-                if os.path.exists("examples/rootfs/x86_windows/bin") is False:
-                    os.mkdir("examples/rootfs/x86_windows/bin")
+                if os.path.exists("examples/rootfs/x8664_windows/bin") is False:
+                    os.mkdir("examples/rootfs/x8664_windows/bin")
 
-                shutil.copyfile("exefiles/" + exeloc, "examples/rootfs/x86_windows/bin/" + exeloc)
-                QilingSandBox_Windows_x86_64.my_sandbox(["examples/rootfs/x86_windows/bin/" + exeloc], QL_ARCH.X86, "examples/rootfs/x86_windows", debugger)
+                shutil.copyfile("exefiles/" + exeloc, "examples/rootfs/x8664_windows/bin/" + exeloc)
+                QilingSandBox_Windows_x86_64.my_sandbox(["examples/rootfs/x8664_windows/bin/" + exeloc], QL_ARCH.X86, "examples/rootfs/x8664_windows", debugger)

dllscollector.bat

@@ -4,13 +4,6 @@
 :: Create the emulated Windows directory structure and registry ::
 ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
 
-:: Test for Admin privileges
-NET SESSIONS > NUL 2>&1
-IF %ERRORLEVEL% NEQ 0 (
-	ECHO Error: This script requires administrative privileges.
-	EXIT /B 1
-)
-
 :: Host system directories
 SET SYSDIR32="%WINDIR%\SysWOW64"
 SET SYSDIR64="%WINDIR%\System32"
@@ -125,8 +118,6 @@ CALL :collect_dll64 shlwapi.dll
 CALL :collect_dll64 user32.dll
 CALL :collect_dll64 vcruntime140.dll
 CALL :collect_dll64 vcruntime140d.dll
-CALL :collect_dll64 vcruntime140_1.dll
-CALL :collect_dll64 vcruntime140_1d.dll
 CALL :collect_dll64 win32u.dll
 CALL :collect_dll64 winhttp.dll
 CALL :collect_dll64 wininet.dll

example_android.py

@@ -0,0 +1,44 @@
+import sys, os
+from classes.Android import *
+
+filelist = os.listdir("exefiles")
+try:
+    exeloc = str(sys.argv[1])
+    type = str(sys.argv[2])
+    debugger = str(sys.argv[3])
+except IndexError:
+    print("Example : python3 example.py example.exe nodebug / gdb / qdb")
+except:
+    print("""
+          [*] Since no architect (arm / arm64) is selected, it is selected 'arm'
+          OR
+          [*] Since no debugger (gdb / qdb) is selected, will not debugging!
+          """)
+    debugger = "nodebug"
+    type = "arm"
+
+if exeloc is None or exeloc == "" or type is None or type == "" or debugger is None or debugger == "":
+    print("Example : python3 example.py example.exe arm64 / arm  nodebug / gdb / qdb")
+else:
+    if type == "arm64":
+        if debugger == "qdb" or debugger == "gdb":
+            try:
+                TestAndroid.debug_android_arm64(exeloc, debugger)
+            except Exception as e:
+                print("ERROR: " + str(e))
+        else:
+            try:
+                TestAndroid.test_android_arm64(exeloc)
+            except Exception as e:
+                print("ERROR: " + str(e))
+    else:
+        if debugger == "qdb" or debugger == "gdb":
+            try:
+                TestAndroid.debug_android_arm(exeloc, debugger)
+            except Exception as e:
+                print("ERROR: " + str(e))
+        else:
+            try:
+                TestAndroid.test_android_arm64(exeloc)
+            except Exception as e:
+                print("ERROR: " + str(e))

example_win_diskanaylze.py

@@ -3,6 +3,6 @@
 
 try:
     binfile = sys.argv[1] # .bin file
-    QilingSandBox_Windows_x86_64.windisk_analyze([os.getcwd() + "/examples/rootfs/x8664_windows/bin/" + binfile], 1)
+    QilingSandBox_Windows_x86_64.windisk_analyze([os.getcwd() + "/examples/rootfs/x8664_windows/bin/" + binfile], 0)
 except Exception as e:
     print("ERROR:" + str(e))