4 releases (2 breaking)
0.3.0 | Mar 27, 2024 |
---|---|
0.2.2 | Mar 20, 2024 |
0.2.0 | Mar 20, 2024 |
0.1.0 | Mar 19, 2024 |
#8 in #malware-analysis
181 downloads per month
25KB
446 lines
Reverse Engineering Lib 🕵️♂️🔍
Welcome to reverse_engineering_lib, your go-to Rust crate for peeling back the layers of binaries and understanding their innards! Whether you're a cybersecurity enthusiast, a malware analyst, or just plain curious about what makes executables tick, this crate has got your back.
Features 🌟
- Entropy Calculation: Get a sense of the randomness within your binary, a vital clue in spotting packed or encrypted sections.
- Color-Based Hex Visualization: Turn those drab hex dumps into a vibrant array of colors, because who said reverse engineering couldn't be a visual treat?
- Detailed PE Analysis: Dive deep into Portable Executable files, extracting juicy details like entry points, section headers, and import/export tables.
Getting Started 🚀
First things first, you'll need Rust installed. If you haven't already, head on over to rustup.rs and follow the instructions.
Once Rust is ready to go, clone the repo and navigate into your project directory:
git clone https://github.com/bdr-pro/reverse_engineering_lib.git
cd reverse_engineering_lib
Usage 🛠
Calculating the entropy of a binary is as simple as:
let entropy = calculate_entropy("path/to/your/binary.exe").unwrap();
println!("Entropy: {}", entropy);
For a color-based perspective of your binary:
let color_data = color_based_hex("path/to/binary.exe").unwrap();
// Implement your logic to visualize color_data
And to extract detailed PE information:
let details = extract_detail_exe("path/to/binary.exe").unwrap();
for (key, value) in details.iter() {
println!("{}: {}", key, value);
}
Cli Mode 🖥️
The main function is in the main.rs
file. It is a showcase of the library's capabilities by using the library's functions to analyze a binary file in cli mode.
Contributing 🤝
Got ideas on how to make reverse_engineering_lib even better? Pull requests are more than welcome! Whether it's adding new features, improving documentation, or fixing bugs, your contributions are what make the open-source community amazing.
License 📜
reverse_engineering_lib is distributed under the MIT License. See LICENSE
for more information.
Acknowledgments 💖
Big shoutout to the developers of the Rust programming language, the creators of the sha2
, rand
, and goblin
crates, and everyone in the cybersecurity community who shares their knowledge and tools. You rock!
Example main.rs
📂
For a practical example of how to use reverse_engineering_lib, check out the provided main.rs
file in the repository. It's a ready-to-run showcase of the library's capabilities.
Here's a brief overview of the modes it supports
For pe-header
Mode
Given a PE file, this mode prints out the basic PE header information:
$ cargo run -- pe-header path/to/pe_file.exe
PeHeaderInfo { machine: 34404, number_of_sections: 5 }
This output indicates that the PE file is for an x64 architecture (machine: 34404
corresponds to AMD64) and contains 5 sections.
For elf-functions
Mode
Given an ELF file, this mode lists the names of functions found in the ELF file:
$ cargo run -- elf-functions path/to/elf_file
["main", "_start", "printf", "exit"]
This example output shows the ELF file contains functions like main
, _start
, printf
, and exit
.
For entropy
Mode
This mode calculates and displays the entropy of segments (or "windows") of a file, which can indicate its randomness:
$ cargo run -- entropy path/to/any_file
Offset: 0x0, Entropy: 7.95
Offset: 0x100, Entropy: 5.47
Offset: 0x200, Entropy: 3.58
Here, the entropy values are hypothetical and show that the file starts with high randomness (entropy close to 8), which decreases in later sections. High entropy could indicate compressed or encrypted data.
Disassembler Mode
This mode disassembles the given binary file and prints the disassembled instructions:
0x14af: nop
0x14b0: call 0xcc30
0x14b5: cmp eax, 0xa
0x14b8: je 0x14bf
0x14ba: cmp eax, -1
0x14bd: jne 0x14b0
0x14bf: mov eax, dword ptr [rbp - 4]
0x14c2: cmp eax, dword ptr [rip + 0x424330]
0x14c8: jle 0x14da
This output shows the disassembled instructions at different memory addresses in the binary file.
use reverse_engineering_lib::disassemble;
fn main() {
let file_path =
"{your_binary_file_path_here.exe}";
match disassemble(&file_path) {
Ok(disassembly) => println!("{}", disassembly),
Err(e) => eprintln!("Disassembly failed: {}", e),
}
}
Happy reverse engineering! 🚀👨💻👩💻
Remember, with great power comes great responsibility. Use reverse_engineering_lib ethically and legally. Happy hacking! 🖥️🔐
Dependencies
~34MB
~1M SLoC