private void MarkInsideRizin(int cnt, string name, decimal offset, string length, string identifier, string mark, decimal?mappedOffset) { rizin.Command("fs+yara"); rizin.Command($"f {mark}.{cnt} {length} @{mappedOffset}"); rizin.Command($"fC {mark}.{cnt} 'Yara match \"{name}\" at \"{offset}\" lenght \"{length}\" identifier \"{identifier}\"'"); rizin.Command("fs-"); }
private void UnloadMappedFileAtOffsetZero() { using (DataTable dt = rizin.CommandDataTable("oj")) { DataRow last = dt.Rows.OfType <DataRow>().OrderBy(x => (decimal)x[".fd"]).Last(); decimal fd = (decimal)last[".fd"]; rizin.Command($"o-{fd}"); } }
private void DisassembleSection(decimal vaddr, decimal vsize, Stream stream) { string colors = rizin.CommandString("e scr.color"); string lines = rizin.CommandString("e asm.lines"); rizin.Command("e scr.color=0"); rizin.Command("e asm.lines=false"); string opcodes = rizin.CommandString($"pD {vsize} @{vaddr}"); rizin.Command($"e scr.color={colors}"); rizin.Command($"e asm.lines={lines}"); byte[] data = Encoding.UTF8.GetBytes(opcodes); stream.Write(data, 0, data.Length); }
private JsonDocument GetStackStringsJson() { var outputBuffer = new ArrayBufferWriter <byte>(); int cnt = 0; using (var jsonWriter = new Utf8JsonWriter(outputBuffer)) { jsonWriter.WriteStartArray(); using (JsonDocument jsonFcn = rizin.CommandJson("aflj")) { if (jsonFcn == null) { return(null); } foreach (var fcn in jsonFcn.RootElement.EnumerateArray()) { decimal offset = fcn.GetProperty("offset").GetDecimal(); string name = fcn.GetProperty("name").GetString(); bool firstString = true; using (JsonDocument jsonInst = rizin.CommandJson($"pifj @{offset}")) { if (jsonInst == null) { continue; } foreach (var inst in jsonInst.RootElement.GetProperty("ops").EnumerateArray()) { JsonElement valElem, tmpElem; if (!inst.TryGetProperty("val", out valElem)) { continue; } if (inst.TryGetProperty("refs", out tmpElem) && tmpElem.GetArrayLength() > 0) { continue; } decimal opoffset = inst.GetProperty("offset").GetDecimal(); decimal size = inst.GetProperty("size").GetDecimal(); decimal val = valElem.GetDecimal(); string opcode = inst.GetProperty("opcode").GetString(); string type = inst.GetProperty("type").GetString(); if (type != "mov" && type != "push") { continue; } byte[] data = BitConverter.GetBytes((ulong)val); List <char> chars = new List <char>(); for (int i = 0; i < data.Length; i++) { if (data[i] >= 0x20 && data[i] <= 0x7A) { char chr = (char)data[i]; chars.Add(chr); } } if (chars.Count > 0) { string str = new string(chars.ToArray()); string strComm = new string(chars.ToArray()); if (strComm.Contains('\\')) { strComm = strComm.Replace(backslash, doublebackslash); } if (strComm.Contains('\'')) { strComm = strComm.Replace(mark, markescaped); } rizin.Command("fs+stackstrings"); rizin.Command($"f loc.stackstring.{cnt} {size} @{opoffset}"); rizin.Command($"fC loc.stackstring.{cnt} '{strComm}'"); rizin.Command("fs-"); cnt++; if (firstString) { jsonWriter.WriteStartObject(); jsonWriter.WriteNumber("offset", offset); jsonWriter.WriteString("name", name); jsonWriter.WriteStartArray("ops"); firstString = false; } jsonWriter.WriteStartObject(); jsonWriter.WriteString("string", str); jsonWriter.WriteNumber("offset", opoffset); jsonWriter.WriteNumber("val", val); jsonWriter.WriteString("opcode", opcode); jsonWriter.WriteEndObject(); } } } if (!firstString) { jsonWriter.WriteEndArray(); jsonWriter.WriteEndObject(); } } } jsonWriter.WriteEndArray(); } return(JsonDocument.Parse(Encoding.UTF8.GetString(outputBuffer.WrittenSpan))); }
static void Main(string[] args) { if (args.Length > 1) { Parallel.ForEach(args, new ParallelOptions { MaxDegreeOfParallelism = Environment.ProcessorCount }, (arg) => ShellUtils.RunShellAsync( "dotnet", $"\"{Assembly.GetExecutingAssembly().Location}\" \"{arg}\"") .GetAwaiter().GetResult() ); } else if (args.Length == 1) { string arg = args[0]; if (File.Exists(arg)) { using (var rizin = new Rizin()) { rizin.Command($"o \"{arg}\""); string fileName = Path.GetFileName(arg); using (DataTable dt = rizin.CommandDataTable("itj")) { if (dt.Columns.Contains(".md5")) { fileName = (string)dt.Rows[0][".md5"]; } } string path = $"rz_report/{fileName}"; Directory.CreateDirectory(path); Report report = new Report(rizin, path); rizin.CommandAnalyzeBinary(); Yara yara = new Yara(rizin, path); yara.TryYaraCheck(); report.Hashes(); report.Info(); if (CheckIsNotExecutable(rizin)) { return; } if (CheckIsCilExecutable(rizin)) { try { var decompiler = new CSharpDecompiler(arg, new DecompilerSettings()); string code = decompiler.DecompileWholeModuleAsString(); string cilFileName = string.Concat(path, Path.DirectorySeparatorChar, "cil.txt"); File.WriteAllText(cilFileName, code); } catch (Exception) { } return; } report.Headers(); report.Sections(); report.Resources(); report.Libraries(); report.Signature(); report.Entrypoints(); report.Imports(); report.Exports(); report.Strings(); report.StackStrings(); report.Functions(); rizin.Command($"Ps \"{path}/project.rzdb\""); // Opcodes opcodes = new Opcodes(rizin, path); // opcodes.Disassemble(); Data data = new Data(rizin, path); data.Export(); } } } else { Console.WriteLine(@"usage: rz_report [FILE]..."); Console.WriteLine(@"creates a folder ""./rz_report"" and writes the analysis " + @"results inside subfolders named after their MD5 sums."); } }