From 68012909fc37d312d1789c50b23ab6fc605eb5d7 Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Sun, 30 Jun 2024 11:29:28 +0200 Subject: [PATCH 1/8] install capa --- installer/I13_disasm.sh | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/installer/I13_disasm.sh b/installer/I13_disasm.sh index 13e938d52..8f3f18b01 100755 --- a/installer/I13_disasm.sh +++ b/installer/I13_disasm.sh @@ -57,6 +57,12 @@ I13_disasm() { y|Y ) # apt-get install "${INSTALL_APP_LIST[@]}" -y --no-install-recommends apt-get install "${INSTALL_APP_LIST[@]}" -y + + if ! [[ -f "external/capa" ]] ; then + download_file "capa" "https://github.com/mandiant/capa/releases/download/v7.1.0/capa-v7.1.0-linux.zip" "external/capa-v7.1.0-linux.zip" + unzip external/capa-v7.1.0-linux.zip -d external + rm external/capa-v7.1.0-linux.zip + fi if ! [[ -f "external/objdump" ]] ; then download_file "${BINUTIL_VERSION_NAME}" "https://ftp.gnu.org/gnu/binutils/${BINUTIL_VERSION_NAME}.tar.gz" "external/${BINUTIL_VERSION_NAME}.tar.gz" From d75d73eb5f77c65495f32b1ef8af0f1d50868585 Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Mon, 1 Jul 2024 08:30:57 +0200 Subject: [PATCH 2/8] capa testing --- docker-compose.yml | 3 +- installer/I13_disasm.sh | 4 +- modules/S18_capa_checker.sh | 74 +++++++++++++++++++++++++++++++++++++ 3 files changed, 78 insertions(+), 3 deletions(-) create mode 100755 modules/S18_capa_checker.sh diff --git a/docker-compose.yml b/docker-compose.yml index 3a69e3d26..f6ece73fa 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -12,7 +12,7 @@ services: # /root/.config is needed for cwe_checker # /root/.local is needed for cwe_checker tmpfs: - - /tmp + - /tmp:exec - /root/.config/ - /root/.local/share/composer/ - /root/.local/share/cwe_checker/ @@ -35,6 +35,7 @@ services: - ${EMBA}/:/emba:ro - ${EMBA}/external/linux_kernel_sources/:/external/linux_kernel_sources:ro - ${EMBA}/external/nvd-json-data-feeds/:/external/nvd-json-data-feeds:ro + - ${EMBA}/external/capa:/external/capa - /etc/localtime:/etc/localtime:ro - /dev:/dev environment: diff --git a/installer/I13_disasm.sh b/installer/I13_disasm.sh index 8f3f18b01..d72f6b9c2 100755 --- a/installer/I13_disasm.sh +++ b/installer/I13_disasm.sh @@ -57,8 +57,8 @@ I13_disasm() { y|Y ) # apt-get install "${INSTALL_APP_LIST[@]}" -y --no-install-recommends apt-get install "${INSTALL_APP_LIST[@]}" -y - - if ! [[ -f "external/capa" ]] ; then + + if ! [[ -f "external/capa" ]]; then download_file "capa" "https://github.com/mandiant/capa/releases/download/v7.1.0/capa-v7.1.0-linux.zip" "external/capa-v7.1.0-linux.zip" unzip external/capa-v7.1.0-linux.zip -d external rm external/capa-v7.1.0-linux.zip diff --git a/modules/S18_capa_checker.sh b/modules/S18_capa_checker.sh new file mode 100755 index 000000000..dd13524e1 --- /dev/null +++ b/modules/S18_capa_checker.sh @@ -0,0 +1,74 @@ +#!/bin/bash -p + +# EMBA - EMBEDDED LINUX ANALYZER +# +# Copyright 2024-2024 Siemens Energy AG +# +# EMBA comes with ABSOLUTELY NO WARRANTY. This is free software, and you are +# welcome to redistribute it under the terms of the GNU General Public License. +# See LICENSE file for usage of this software. +# +# EMBA is licensed under GPLv3 +# SPDX-License-Identifier: GPL-3.0-only +# +# Author(s): Michael Messner + +# Description: This module uses capa (https://github.com/mandiant/capa) for detecting binary behavior +# Currently capa only supports x86 architecture + +S18_capa_checker() { + module_log_init "${FUNCNAME[0]}" + module_title "Analyse binary behavior with capa" + pre_module_reporter "${FUNCNAME[0]}" + + if [[ ! -e "${EXT_DIR}"/capa ]]; then + print_output "[-] Missing capa installation ... exit module" + module_end_log "${FUNCNAME[0]}" 0 + return + fi + + local lBIN_COUNT=0 + local lBINARY="" + local lWAIT_PIDS_S18=() + + for lBINARY in "${BINARIES[@]}"; do + if ( file "${lBINARY}" | grep -q "ELF.*Intel" ); then + lBIN_COUNT=$((lBIN_COUNT+1)) + if [[ "${THREADED}" -eq 1 ]]; then + capa_runner_fct "${lBINARY}" & + local lTMP_PID="$!" + store_kill_pids "${lTMP_PID}" + lWAIT_PIDS_S18+=( "${lTMP_PID}" ) + max_pids_protection "${MAX_MOD_THREADS}" "${lWAIT_PIDS_S18[@]}" + else + capa_runner_fct "${lBINARY}" + fi + else + print_output "[-] Binary behavior testing with capa for $(print_path "${lBINARY}") not possible ... unsupported architecture" + fi + done + + [[ "${THREADED}" -eq 1 ]] && wait_for_pid "${lWAIT_PIDS_S18[@]}" + + print_ln + print_output "[*] Found ${ORANGE}${lBIN_COUNT}${NC} capa results in ${ORANGE}${#BINARIES[@]}${NC} binaries" + + module_end_log "${FUNCNAME[0]}" "${lBIN_COUNT}" +} + +capa_runner_fct() { + local lBINARY="${1:-}" + + local lBIN_NAME="" + lBIN_NAME="$(basename "${lBINARY}")" + + print_output "[*] Testing binary behavior with capa for $(print_path "${lBINARY}")" "no_log" + "${EXT_DIR}"/capa "${lBINARY}" > "${LOG_PATH_MODULE}/capa_${lBIN_NAME}".log || print_output "[-] Capa analysis failed for ${lBINARY}" "no_log" + + if [[ -s "${LOG_PATH_MODULE}/capa_${lBIN_NAME}.log" ]]; then + print_output "[+] Capa results for ${ORANGE}$(print_path "${lBINARY}")${NC}" "" "${LOG_PATH_MODULE}/capa_${lBIN_NAME}.log" + else + print_output "[*] No capa results for $(print_path "${lBINARY}")" "no_log" + rm "${LOG_PATH_MODULE}/capa_${lBIN_NAME}.log" || true + fi +} From 79d1e2cf897d385a012ecd0f8c4ef3bcf8468595 Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Mon, 1 Jul 2024 10:20:28 +0200 Subject: [PATCH 3/8] improve capa module --- helpers/helpers_emba_dependency_check.sh | 1 + modules/S18_capa_checker.sh | 77 +++++++++++++++++++----- 2 files changed, 63 insertions(+), 15 deletions(-) diff --git a/helpers/helpers_emba_dependency_check.sh b/helpers/helpers_emba_dependency_check.sh index 7539a63da..c815236cb 100755 --- a/helpers/helpers_emba_dependency_check.sh +++ b/helpers/helpers_emba_dependency_check.sh @@ -695,6 +695,7 @@ dependency_check() # radare2 check_dep_tool "radare2" "r2" fi + check_dep_file "Identify capabilities in executable files" "${EXT_DIR}/capa" # bandit python security tester check_dep_tool "bandit - python vulnerability scanner" "bandit" diff --git a/modules/S18_capa_checker.sh b/modules/S18_capa_checker.sh index dd13524e1..0d6223a93 100755 --- a/modules/S18_capa_checker.sh +++ b/modules/S18_capa_checker.sh @@ -26,34 +26,78 @@ S18_capa_checker() { module_end_log "${FUNCNAME[0]}" 0 return fi + if [[ ${BINARY_EXTENDED} -ne 1 ]] ; then + print_output "[-] ${FUNCNAME[0]} - BINARY_EXTENDED not set to 1. You can set it up via a scan-profile." + module_end_log "${FUNCNAME[0]}" 0 + return + fi + if [[ "${FULL_TEST}" -ne 1 ]]; then + # we only need to wait if we are not using the full_scan profile + module_wait "S13_weak_func_check" + fi + if [[ -s "${CSV_DIR}"/s13_weak_func_check.csv ]]; then + local BINARIES=() + # usually binaries with strcpy or system calls are more interesting for further analysis + # to keep analysis time low we only check these bins + mapfile -t BINARIES < <(grep "strcpy\|system" "${CSV_DIR}"/s13_weak_func_check.csv | sort -k 3 -t ';' -n -r | awk '{print $1}' || true) + fi - local lBIN_COUNT=0 local lBINARY="" + local lBIN_TO_CHECK="" local lWAIT_PIDS_S18=() + local lBIN_TO_CHECK_ARR=() + export BINS_CHECKED_ARR=() for lBINARY in "${BINARIES[@]}"; do - if ( file "${lBINARY}" | grep -q "ELF.*Intel" ); then - lBIN_COUNT=$((lBIN_COUNT+1)) - if [[ "${THREADED}" -eq 1 ]]; then - capa_runner_fct "${lBINARY}" & - local lTMP_PID="$!" - store_kill_pids "${lTMP_PID}" - lWAIT_PIDS_S18+=( "${lTMP_PID}" ) - max_pids_protection "${MAX_MOD_THREADS}" "${lWAIT_PIDS_S18[@]}" + mapfile -t lBIN_TO_CHECK_ARR < <(find "${LOG_DIR}/firmware" -name "$(basename "${lBINARY}")" | sort -u || true) + for lBIN_TO_CHECK in "${lBIN_TO_CHECK_ARR[@]}"; do + if [[ -f "${BASE_LINUX_FILES}" && "${FULL_TEST}" -eq 0 ]]; then + # if we have the base linux config file we only test non known Linux binaries + # with this we do not waste too much time on open source Linux stuff + lNAME=$(basename "${lBIN_TO_CHECK}" 2> /dev/null) + if grep -E -q "^${lNAME}$" "${BASE_LINUX_FILES}" 2>/dev/null; then + continue 2 + fi + fi + + if ( file "${lBIN_TO_CHECK}" | grep -q "ELF.*Intel" ); then + # ensure we have not tested this binary entry + local lBIN_MD5="" + lBIN_MD5="$(md5sum "${lBIN_TO_CHECK}" | awk '{print $1}')" + if [[ "${BINS_CHECKED_ARR[*]}" == *"${lBIN_MD5}"* ]]; then + # print_output "[*] ${ORANGE}${lBIN_TO_CHECK}${NC} already tested with ghidra/semgrep" "no_log" + continue + fi + + if [[ "${THREADED}" -eq 1 ]]; then + capa_runner_fct "${lBIN_TO_CHECK}" & + local lTMP_PID="$!" + store_kill_pids "${lTMP_PID}" + lWAIT_PIDS_S18+=( "${lTMP_PID}" ) + max_pids_protection "${MAX_MOD_THREADS}" "${lWAIT_PIDS_S18[@]}" + else + capa_runner_fct "${lBIN_TO_CHECK}" + fi + + # in normal operation we stop checking after the first 20 binaries + # if FULL_TEST is activated we are testing all binaries -> this takes a long time + if [[ "${#BINS_CHECKED_ARR[@]}" -gt 20 ]] && [[ "${FULL_TEST}" -ne 1 ]]; then + print_output "[*] 20 binaries already analysed - ending capa binary analysis now." "no_log" + print_output "[*] For complete analysis enable FULL_TEST." "no_log" + break 2 + fi else - capa_runner_fct "${lBINARY}" + print_output "[-] Binary behavior testing with capa for $(print_path "${lBIN_TO_CHECK}") not possible ... unsupported architecture" fi - else - print_output "[-] Binary behavior testing with capa for $(print_path "${lBINARY}") not possible ... unsupported architecture" - fi + done done [[ "${THREADED}" -eq 1 ]] && wait_for_pid "${lWAIT_PIDS_S18[@]}" print_ln - print_output "[*] Found ${ORANGE}${lBIN_COUNT}${NC} capa results in ${ORANGE}${#BINARIES[@]}${NC} binaries" + print_output "[*] Found ${ORANGE}${#BINS_CHECKED_ARR[@]}${NC} capa results in ${ORANGE}${#BINARIES[@]}${NC} binaries" - module_end_log "${FUNCNAME[0]}" "${lBIN_COUNT}" + module_end_log "${FUNCNAME[0]}" "${#BINS_CHECKED_ARR[@]}" } capa_runner_fct() { @@ -67,6 +111,9 @@ capa_runner_fct() { if [[ -s "${LOG_PATH_MODULE}/capa_${lBIN_NAME}.log" ]]; then print_output "[+] Capa results for ${ORANGE}$(print_path "${lBINARY}")${NC}" "" "${LOG_PATH_MODULE}/capa_${lBIN_NAME}.log" + local lBIN_MD5="" + lBIN_MD5="$(md5sum "${lBIN_TO_CHECK}" | awk '{print $1}')" + BINS_CHECKED_ARR+=( "${lBIN_MD5}" ) else print_output "[*] No capa results for $(print_path "${lBINARY}")" "no_log" rm "${LOG_PATH_MODULE}/capa_${lBIN_NAME}.log" || true From dcb26d6e0eb082f148623594b3dd4200188dd092 Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Mon, 1 Jul 2024 13:35:26 +0200 Subject: [PATCH 4/8] improve capa module --- helpers/helpers_emba_status_bar.sh | 2 +- modules/S18_capa_checker.sh | 24 +++++++++++++++--------- 2 files changed, 16 insertions(+), 10 deletions(-) diff --git a/helpers/helpers_emba_status_bar.sh b/helpers/helpers_emba_status_bar.sh index 3b4a75d0a..91fa61a6c 100755 --- a/helpers/helpers_emba_status_bar.sh +++ b/helpers/helpers_emba_status_bar.sh @@ -351,7 +351,7 @@ update_box_status_2() { fi while [[ "${BOX_SIZE}" -gt 0 ]]; do - [[ -f "${TMP_DIR}""/LINES.log" ]] && lLINES=$(cat "${TMP_DIR}""/LINES.log") + [[ -f "${TMP_DIR}""/LINES.log" ]] && lLINES=$(cat "${TMP_DIR}""/LINES.log" || true) PHASE_STR=$(grep 'phase started' "${LOG_DIR}/emba.log" 2> /dev/null | tail -1 | cut -d"-" -f2 | awk '{print $1}' || true) [[ "${PHASE_STR}" == "Pre" ]] && PHASE_STR="Extraction" diff --git a/modules/S18_capa_checker.sh b/modules/S18_capa_checker.sh index 0d6223a93..e66f78b40 100755 --- a/modules/S18_capa_checker.sh +++ b/modules/S18_capa_checker.sh @@ -46,7 +46,7 @@ S18_capa_checker() { local lBIN_TO_CHECK="" local lWAIT_PIDS_S18=() local lBIN_TO_CHECK_ARR=() - export BINS_CHECKED_ARR=() + local lBINS_CHECKED_CNT=0 for lBINARY in "${BINARIES[@]}"; do mapfile -t lBIN_TO_CHECK_ARR < <(find "${LOG_DIR}/firmware" -name "$(basename "${lBINARY}")" | sort -u || true) @@ -61,11 +61,11 @@ S18_capa_checker() { fi if ( file "${lBIN_TO_CHECK}" | grep -q "ELF.*Intel" ); then - # ensure we have not tested this binary entry + # ensure we have not tested this binary local lBIN_MD5="" lBIN_MD5="$(md5sum "${lBIN_TO_CHECK}" | awk '{print $1}')" - if [[ "${BINS_CHECKED_ARR[*]}" == *"${lBIN_MD5}"* ]]; then - # print_output "[*] ${ORANGE}${lBIN_TO_CHECK}${NC} already tested with ghidra/semgrep" "no_log" + if ( grep -q "${lBIN_MD5}" "${TMP_DIR}"/s18_checked.tmp 2>/dev/null); then + # print_output "[*] ${ORANGE}${lBIN_TO_CHECK}${NC} already tested with capa" "no_log" continue fi @@ -81,13 +81,14 @@ S18_capa_checker() { # in normal operation we stop checking after the first 20 binaries # if FULL_TEST is activated we are testing all binaries -> this takes a long time - if [[ "${#BINS_CHECKED_ARR[@]}" -gt 20 ]] && [[ "${FULL_TEST}" -ne 1 ]]; then + lBINS_CHECKED_CNT=$(wc -l "${TMP_DIR}"/s18_checked.tmp 2>/dev/null || true) + if [[ "${lBINS_CHECKED_CNT/\ *}" -gt 20 ]] && [[ "${FULL_TEST}" -ne 1 ]]; then print_output "[*] 20 binaries already analysed - ending capa binary analysis now." "no_log" print_output "[*] For complete analysis enable FULL_TEST." "no_log" break 2 fi else - print_output "[-] Binary behavior testing with capa for $(print_path "${lBIN_TO_CHECK}") not possible ... unsupported architecture" + print_output "[-] Binary behavior testing with capa for $(print_path "${lBIN_TO_CHECK}") not possible ... unsupported architecture" "no_log" fi done done @@ -95,9 +96,12 @@ S18_capa_checker() { [[ "${THREADED}" -eq 1 ]] && wait_for_pid "${lWAIT_PIDS_S18[@]}" print_ln - print_output "[*] Found ${ORANGE}${#BINS_CHECKED_ARR[@]}${NC} capa results in ${ORANGE}${#BINARIES[@]}${NC} binaries" + lBINS_CHECKED_CNT=$(wc -l "${TMP_DIR}"/s18_checked.tmp 2>/dev/null || true) + print_output "[*] Found ${ORANGE}${lBINS_CHECKED_CNT/\ *}${NC} capa results in ${ORANGE}${#BINARIES[@]}${NC} binaries" + cat "${TMP_DIR}"/s18_checked.tmp + rm "${TMP_DIR}"/s18_checked.tmp 2>/dev/null - module_end_log "${FUNCNAME[0]}" "${#BINS_CHECKED_ARR[@]}" + module_end_log "${FUNCNAME[0]}" "${lBINS_CHECKED_CNT/\ *}" } capa_runner_fct() { @@ -113,7 +117,9 @@ capa_runner_fct() { print_output "[+] Capa results for ${ORANGE}$(print_path "${lBINARY}")${NC}" "" "${LOG_PATH_MODULE}/capa_${lBIN_NAME}.log" local lBIN_MD5="" lBIN_MD5="$(md5sum "${lBIN_TO_CHECK}" | awk '{print $1}')" - BINS_CHECKED_ARR+=( "${lBIN_MD5}" ) + if ( ! grep -q "${lBIN_MD5}" "${TMP_DIR}"/s18_checked.tmp 2>/dev/null); then + echo "${lBIN_MD5}" >> "${TMP_DIR}"/s18_checked.tmp + fi else print_output "[*] No capa results for $(print_path "${lBINARY}")" "no_log" rm "${LOG_PATH_MODULE}/capa_${lBIN_NAME}.log" || true From 92542edb6220d35e9e2db7113a001b34ad3893cf Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Tue, 2 Jul 2024 13:54:09 +0200 Subject: [PATCH 5/8] include links --- .github/workflows/docker-image.yml | 2 +- docker-compose.yml | 7 +++---- installer/I13_disasm.sh | 1 + modules/S18_capa_checker.sh | 3 ++- 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml index 54e4392c2..492abc8da 100644 --- a/.github/workflows/docker-image.yml +++ b/.github/workflows/docker-image.yml @@ -42,4 +42,4 @@ jobs: source "./external/emba_venv/bin/activate" echo "GH_action:true" > ./config/gh_action sudo docker-compose build --no-cache --pull - NO_UPDATE_CHECK=1 sudo -E sudo ./emba -d 2 -y + NO_UPDATE_CHECK=1 sudo -E ./emba -d 2 -y diff --git a/docker-compose.yml b/docker-compose.yml index f6ece73fa..603ae0eda 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -2,7 +2,7 @@ version: "3" services: # nosemgrep emba: - image: embeddedanalyzer/emba:1.4.1d + image: embeddedanalyzer/emba:1.4.1e container_name: emba read_only: true # all pre-checker mount modules need privileged mode @@ -12,7 +12,7 @@ services: # /root/.config is needed for cwe_checker # /root/.local is needed for cwe_checker tmpfs: - - /tmp:exec + - /tmp - /root/.config/ - /root/.local/share/composer/ - /root/.local/share/cwe_checker/ @@ -35,7 +35,6 @@ services: - ${EMBA}/:/emba:ro - ${EMBA}/external/linux_kernel_sources/:/external/linux_kernel_sources:ro - ${EMBA}/external/nvd-json-data-feeds/:/external/nvd-json-data-feeds:ro - - ${EMBA}/external/capa:/external/capa - /etc/localtime:/etc/localtime:ro - /dev:/dev environment: @@ -51,7 +50,7 @@ services: soft: 0 emba_quest: - image: embeddedanalyzer/emba:1.4.1d + image: embeddedanalyzer/emba:1.4.1e container_name: emba_quest read_only: true tmpfs: diff --git a/installer/I13_disasm.sh b/installer/I13_disasm.sh index d72f6b9c2..4ee008d00 100755 --- a/installer/I13_disasm.sh +++ b/installer/I13_disasm.sh @@ -27,6 +27,7 @@ I13_disasm() { if [[ "${LIST_DEP}" -eq 1 ]] || [[ "${IN_DOCKER}" -eq 1 ]] || [[ "${DOCKER_SETUP}" -eq 0 ]] ; then print_file_info "${BINUTIL_VERSION_NAME}" "The GNU Binutils are a collection of binary tools." "https://ftp.gnu.org/gnu/binutils/${BINUTIL_VERSION_NAME}.tar.gz" "external/${BINUTIL_VERSION_NAME}.tar.gz" "external/objdump" + print_file_info "Capa" "Capa - Open-source tool to identify capabilities in executable files." "https://github.com/mandiant/capa/releases/download/v7.1.0/capa-v7.1.0-linux.zip" "external/capa-v7.1.0-linux.zip" print_tool_info "texinfo" 1 print_tool_info "git" 1 print_tool_info "wget" 1 diff --git a/modules/S18_capa_checker.sh b/modules/S18_capa_checker.sh index e66f78b40..312108f79 100755 --- a/modules/S18_capa_checker.sh +++ b/modules/S18_capa_checker.sh @@ -98,7 +98,6 @@ S18_capa_checker() { print_ln lBINS_CHECKED_CNT=$(wc -l "${TMP_DIR}"/s18_checked.tmp 2>/dev/null || true) print_output "[*] Found ${ORANGE}${lBINS_CHECKED_CNT/\ *}${NC} capa results in ${ORANGE}${#BINARIES[@]}${NC} binaries" - cat "${TMP_DIR}"/s18_checked.tmp rm "${TMP_DIR}"/s18_checked.tmp 2>/dev/null module_end_log "${FUNCNAME[0]}" "${lBINS_CHECKED_CNT/\ *}" @@ -115,6 +114,8 @@ capa_runner_fct() { if [[ -s "${LOG_PATH_MODULE}/capa_${lBIN_NAME}.log" ]]; then print_output "[+] Capa results for ${ORANGE}$(print_path "${lBINARY}")${NC}" "" "${LOG_PATH_MODULE}/capa_${lBIN_NAME}.log" + sed -i '/\ T[0-9]\{4\}\(\.[0-9]\)\?/a \[REF\] https://attack.mitre.org/techniques' "${LOG_PATH_MODULE}/capa_${lBIN_NAME}.log" || true + sed -i '/\ MBC Objective/a \[REF\] https://github.com/MBCProject/mbc-markdown' "${LOG_PATH_MODULE}/capa_${lBIN_NAME}.log" || true local lBIN_MD5="" lBIN_MD5="$(md5sum "${lBIN_TO_CHECK}" | awk '{print $1}')" if ( ! grep -q "${lBIN_MD5}" "${TMP_DIR}"/s18_checked.tmp 2>/dev/null); then From 68a43b14f69d09f123a8c36b53e71b8812721ebb Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Tue, 2 Jul 2024 14:00:11 +0200 Subject: [PATCH 6/8] typo --- installer/I13_disasm.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/installer/I13_disasm.sh b/installer/I13_disasm.sh index 4ee008d00..2ecbaf9ac 100755 --- a/installer/I13_disasm.sh +++ b/installer/I13_disasm.sh @@ -60,7 +60,7 @@ I13_disasm() { apt-get install "${INSTALL_APP_LIST[@]}" -y if ! [[ -f "external/capa" ]]; then - download_file "capa" "https://github.com/mandiant/capa/releases/download/v7.1.0/capa-v7.1.0-linux.zip" "external/capa-v7.1.0-linux.zip" + download_file "Capa" "https://github.com/mandiant/capa/releases/download/v7.1.0/capa-v7.1.0-linux.zip" "external/capa-v7.1.0-linux.zip" unzip external/capa-v7.1.0-linux.zip -d external rm external/capa-v7.1.0-linux.zip fi From d935e53f2a7e0ba8f615be776f386c375eec4eb3 Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Tue, 2 Jul 2024 20:31:06 +0200 Subject: [PATCH 7/8] capa updates --- docker-compose.yml | 3 ++- modules/S18_capa_checker.sh | 10 ++++++++-- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index 603ae0eda..25bcc632d 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -12,7 +12,8 @@ services: # /root/.config is needed for cwe_checker # /root/.local is needed for cwe_checker tmpfs: - - /tmp + # exec on /tmp is needed for capa -> Todo: find better solution + - /tmp:exec - /root/.config/ - /root/.local/share/composer/ - /root/.local/share/cwe_checker/ diff --git a/modules/S18_capa_checker.sh b/modules/S18_capa_checker.sh index 312108f79..117c568bb 100755 --- a/modules/S18_capa_checker.sh +++ b/modules/S18_capa_checker.sh @@ -106,17 +106,23 @@ S18_capa_checker() { capa_runner_fct() { local lBINARY="${1:-}" + local lATTACK_CODES_ARR=() + local lATTACK_CODE="" local lBIN_NAME="" lBIN_NAME="$(basename "${lBINARY}")" + local lBIN_MD5="" print_output "[*] Testing binary behavior with capa for $(print_path "${lBINARY}")" "no_log" "${EXT_DIR}"/capa "${lBINARY}" > "${LOG_PATH_MODULE}/capa_${lBIN_NAME}".log || print_output "[-] Capa analysis failed for ${lBINARY}" "no_log" if [[ -s "${LOG_PATH_MODULE}/capa_${lBIN_NAME}.log" ]]; then print_output "[+] Capa results for ${ORANGE}$(print_path "${lBINARY}")${NC}" "" "${LOG_PATH_MODULE}/capa_${lBIN_NAME}.log" - sed -i '/\ T[0-9]\{4\}\(\.[0-9]\)\?/a \[REF\] https://attack.mitre.org/techniques' "${LOG_PATH_MODULE}/capa_${lBIN_NAME}.log" || true + mapfile -t lATTACK_CODES_ARR < <(grep -o "T[0-9]\{4\}\(\.[0-9]\{3\}\)\?" "${LOG_PATH_MODULE}/capa_${lBIN_NAME}.log" || true) + for lATTACK_CODE in "${lATTACK_CODES_ARR[@]}"; do + # check for ATT&CK framework codes and insert the correct links + sed -i "/\ ${lATTACK_CODE}\ /a\[REF\] https://attack.mitre.org/techniques/${lATTACK_CODE/\./\/}" "${LOG_PATH_MODULE}/capa_${lBIN_NAME}.log" || true + done sed -i '/\ MBC Objective/a \[REF\] https://github.com/MBCProject/mbc-markdown' "${LOG_PATH_MODULE}/capa_${lBIN_NAME}.log" || true - local lBIN_MD5="" lBIN_MD5="$(md5sum "${lBIN_TO_CHECK}" | awk '{print $1}')" if ( ! grep -q "${lBIN_MD5}" "${TMP_DIR}"/s18_checked.tmp 2>/dev/null); then echo "${lBIN_MD5}" >> "${TMP_DIR}"/s18_checked.tmp From d5ebcec0d2487b8c8a575f6b8fa32ab563f20dc0 Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Thu, 4 Jul 2024 11:31:00 +0200 Subject: [PATCH 8/8] upper to lower --- modules/L10_system_emulation.sh | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/modules/L10_system_emulation.sh b/modules/L10_system_emulation.sh index 5751b3bba..6cd330e94 100755 --- a/modules/L10_system_emulation.sh +++ b/modules/L10_system_emulation.sh @@ -120,11 +120,9 @@ L10_system_emulation() { if [[ -n "${D_END}" ]]; then export TAPDEV_0="tap0_0" local lARCH_END="" - export D_END_lower="" - D_END_lower="$(echo "${D_END}" | tr '[:upper:]' '[:lower:]')" - lARCH_END="$(echo "${ARCH}" | tr '[:upper:]' '[:lower:]')" - lARCH_END+="${D_END_lower}" + lARCH_END="${ARCH,,}" + lARCH_END+="${D_END,,}" # default is ARM_SF -> we only need to check if it is HF # The information is based on the results of architecture_check() @@ -1520,9 +1518,9 @@ get_networking_details_emulation() { lIP="${lIP/\.}" IP_ADDRESS_="" - if [[ "${D_END_lower}" == "eb" ]]; then + if [[ "${D_END,,}" == "eb" ]]; then IP_ADDRESS_="${lIP}" - elif [[ "${D_END_lower}" == "el" ]]; then + elif [[ "${D_END,,}" == "el" ]]; then IP_ADDRESS_=$(echo "${lIP}" | tr '.' '\n' | tac | tr '\n' '.' | sed 's/\.$//') fi