private void MarkInsideRizin(int cnt, string name, decimal offset, string length, string identifier, string mark, decimal?mappedOffset)
{
rizin.Command("fs+yara");
rizin.Command($"f {mark}.{cnt} {length} @{mappedOffset}");
rizin.Command($"fC {mark}.{cnt} 'Yara match \"{name}\" at \"{offset}\" lenght \"{length}\" identifier \"{identifier}\"'");
rizin.Command("fs-");
}
private void UnloadMappedFileAtOffsetZero()
{
using (DataTable dt = rizin.CommandDataTable("oj"))
{
DataRow last = dt.Rows.OfType <DataRow>().OrderBy(x => (decimal)x[".fd"]).Last();
decimal fd = (decimal)last[".fd"];
rizin.Command($"o-{fd}");
}
}
private void DisassembleSection(decimal vaddr, decimal vsize, Stream stream)
{
string colors = rizin.CommandString("e scr.color");
string lines = rizin.CommandString("e asm.lines");
rizin.Command("e scr.color=0");
rizin.Command("e asm.lines=false");
string opcodes = rizin.CommandString($"pD {vsize} @{vaddr}");
rizin.Command($"e scr.color={colors}");
rizin.Command($"e asm.lines={lines}");
byte[] data = Encoding.UTF8.GetBytes(opcodes);
stream.Write(data, 0, data.Length);
}
private JsonDocument GetStackStringsJson()
{
var outputBuffer = new ArrayBufferWriter <byte>();
int cnt = 0;
using (var jsonWriter = new Utf8JsonWriter(outputBuffer))
{
jsonWriter.WriteStartArray();
using (JsonDocument jsonFcn = rizin.CommandJson("aflj"))
{
if (jsonFcn == null)
{
return(null);
}
foreach (var fcn in jsonFcn.RootElement.EnumerateArray())
{
decimal offset = fcn.GetProperty("offset").GetDecimal();
string name = fcn.GetProperty("name").GetString();
bool firstString = true;
using (JsonDocument jsonInst = rizin.CommandJson($"pifj @{offset}"))
{
if (jsonInst == null)
{
continue;
}
foreach (var inst in jsonInst.RootElement.GetProperty("ops").EnumerateArray())
{
JsonElement valElem, tmpElem;
if (!inst.TryGetProperty("val", out valElem))
{
continue;
}
if (inst.TryGetProperty("refs", out tmpElem) && tmpElem.GetArrayLength() > 0)
{
continue;
}
decimal opoffset = inst.GetProperty("offset").GetDecimal();
decimal size = inst.GetProperty("size").GetDecimal();
decimal val = valElem.GetDecimal();
string opcode = inst.GetProperty("opcode").GetString();
string type = inst.GetProperty("type").GetString();
if (type != "mov" && type != "push")
{
continue;
}
byte[] data = BitConverter.GetBytes((ulong)val);
List <char> chars = new List <char>();
for (int i = 0; i < data.Length; i++)
{
if (data[i] >= 0x20 && data[i] <= 0x7A)
{
char chr = (char)data[i];
chars.Add(chr);
}
}
if (chars.Count > 0)
{
string str = new string(chars.ToArray());
string strComm = new string(chars.ToArray());
if (strComm.Contains('\\'))
{
strComm = strComm.Replace(backslash, doublebackslash);
}
if (strComm.Contains('\''))
{
strComm = strComm.Replace(mark, markescaped);
}
rizin.Command("fs+stackstrings");
rizin.Command($"f loc.stackstring.{cnt} {size} @{opoffset}");
rizin.Command($"fC loc.stackstring.{cnt} '{strComm}'");
rizin.Command("fs-");
cnt++;
if (firstString)
{
jsonWriter.WriteStartObject();
jsonWriter.WriteNumber("offset", offset);
jsonWriter.WriteString("name", name);
jsonWriter.WriteStartArray("ops");
firstString = false;
}
jsonWriter.WriteStartObject();
jsonWriter.WriteString("string", str);
jsonWriter.WriteNumber("offset", opoffset);
jsonWriter.WriteNumber("val", val);
jsonWriter.WriteString("opcode", opcode);
jsonWriter.WriteEndObject();
}
}
}
if (!firstString)
{
jsonWriter.WriteEndArray();
jsonWriter.WriteEndObject();
}
}
}
jsonWriter.WriteEndArray();
}
return(JsonDocument.Parse(Encoding.UTF8.GetString(outputBuffer.WrittenSpan)));
}
static void Main(string[] args)
{
if (args.Length > 1)
{
Parallel.ForEach(args, new ParallelOptions
{
MaxDegreeOfParallelism = Environment.ProcessorCount
}, (arg) => ShellUtils.RunShellAsync(
"dotnet",
$"\"{Assembly.GetExecutingAssembly().Location}\" \"{arg}\"")
.GetAwaiter().GetResult()
);
}
else if (args.Length == 1)
{
string arg = args[0];
if (File.Exists(arg))
{
using (var rizin = new Rizin())
{
rizin.Command($"o \"{arg}\"");
string fileName = Path.GetFileName(arg);
using (DataTable dt = rizin.CommandDataTable("itj"))
{
if (dt.Columns.Contains(".md5"))
{
fileName = (string)dt.Rows[0][".md5"];
}
}
string path = $"rz_report/{fileName}";
Directory.CreateDirectory(path);
Report report = new Report(rizin, path);
rizin.CommandAnalyzeBinary();
Yara yara = new Yara(rizin, path);
yara.TryYaraCheck();
report.Hashes();
report.Info();
if (CheckIsNotExecutable(rizin))
{
return;
}
if (CheckIsCilExecutable(rizin))
{
try
{
var decompiler = new CSharpDecompiler(arg, new DecompilerSettings());
string code = decompiler.DecompileWholeModuleAsString();
string cilFileName = string.Concat(path, Path.DirectorySeparatorChar, "cil.txt");
File.WriteAllText(cilFileName, code);
}
catch (Exception)
{ }
return;
}
report.Headers();
report.Sections();
report.Resources();
report.Libraries();
report.Signature();
report.Entrypoints();
report.Imports();
report.Exports();
report.Strings();
report.StackStrings();
report.Functions();
rizin.Command($"Ps \"{path}/project.rzdb\"");
// Opcodes opcodes = new Opcodes(rizin, path);
// opcodes.Disassemble();
Data data = new Data(rizin, path);
data.Export();
}
}
}
else
{
Console.WriteLine(@"usage: rz_report [FILE]...");
Console.WriteLine(@"creates a folder ""./rz_report"" and writes the analysis " +
@"results inside subfolders named after their MD5 sums.");
}
}