An Interactive Disassembler for x86/ARM/MIPS - Plasma

PLASMA is an interactive disassembler. It can generate a more readable assembly (pseudo code) with colored syntax. You can write scripts with the available Python api (see an example below). The project is still in big development.

wiki : TODO list and some documentation.

It supports :

• architectures : x86{64}, ARM, MIPS{64} (partially for ARM and MIPS)
• formats : ELF, PE, RAW

Warning: until structures and type definitions are not implemented, the database compatibility could be broken.

Requirements

• python >= 3.4
• capstone
• python-pyelftools
• pefile + python3-future
• python-msgpack >= 0.4.6
• c++filt (available in the binutils Linux package)
• terminal should support UTF8 and 256 colors (if not, use the option --nocolor)

Optional :

• python-qt4 used for the memory map
• keystone for the script asm.py

Installation

./install.sh

Or if you have already installed requirements with the previous command :

./install.sh --update

Check tests :

make
....................................................................................
84/84 tests passed successfully in 2.777975s
analyzer tests...
...

Pseudo-decompilation of functions

$ plasma -i tests/server.bin
>> v main
# you can press tab to show the pseudo decompilation
# | to split the window
# See the command help for all shortcuts

Qt memory map (memmap)
The image is actually static.

Scripting (Python API)
See more on the wiki for the API.
Some examples (these scripts are placed in plasma/scripts) :

$ plasma -i FILE
plasma> py !strings.py             # print all strings
plasma> py !xrefsto.py FUNCTION    # xdot call graph
plasma> py !crypto.py              # detect some crypto constants
plasma> py !asm.py CODE            # assemble with keystone
plasma> py !disasm.py HEX_STRING   # disassemble a buffer

Download Plasma

Read More

PowerShell Remote Download Cradle Generator and Obfuscator - Invoke-CradleCrafter

Invoke-CradleCrafter is a PowerShell v2.0+ compatible PowerShell remote download cradle generator and obfuscator.

Purpose

Invoke-CradleCrafter exists to aid Blue Teams and Red Teams in easily exploring, generating and obfuscating PowerShell remote download cradles. In addition, it helps Blue Teams test the effectiveness of detections that may work for output produced by Invoke-Obfuscation but may fall short when dealing with Invoke-CradleCrafter since it does not contain any string concatenations, encodings, tick marks, type casting, etc.

Another important component of this research and tool development was to effectively highlight the high-level behavior and artifacts left behind when each cradle is executed. I have tried to highlight this information when you first enter a new cradle type in the interactive menus of the tool.

Ultimately, knowing more about each cradle's behavior and artifacts will help the Blue Team better detect these cradles. This knowledge should also benefit the Red Teamer in making more informed selections of which cradle to use in a given scenario.

Usage

While all of the cradles can be produced by directly calling the Out-Cradle function, the complexity of the moving pieces for all of the stacked obfuscated components makes using the Invoke-CradleCrafter function the easiest way to explorer and visualize the cradle syntaxes and obfuscation techniques that this framework currently supports.

Installation

The source code for Invoke-CradleCrafter is hosted at Github, and you may download, fork and review it from the repository. Please report issues or feature requests through Github's bug tracker associated with this project.

To install:

Import-Module ./Invoke-CradleCrafter.psd1
Invoke-CradleCrafter

Release Notes
v1.0 - 2017-04-28 x33fcon (Gdynia, Poland): PUBLIC Release of Invoke-CradleCrafter.
v1.1 - 2017-05-11 NOPcon (Istanbul, Turkey): Added 3 new memory-based cradles:

• PsComMsXml
• PsInlineCSharp
• PsCompiledCSharp Added 2 disk-based cradles:
• PsBits
• BITSAdmin

Download Invoke-CradleCrafter

Read More