Shellcode analysis is not trivial. Static analysis is ineffective and easily to be defeated. Moreover, static analysis tools are usually not free. Dynamic analysis requires the shellcode to be loaded into another process in an appropriate environment, which is often a virtual machine.
In this presentation we introduce PyAna, a new tool that aims to make it easier to analyze shellcode. PyAna uses the Unicorn framework to emulate CPU, and creates a virtual Windows process, into which the shellcode is injected and analyzed. This allows automating the analysis, and provides a flexible and light-weight environment without requiring virtual machines.
In the future, the idea of PyAna can be applied to other areas of security research such as fuzzing or exploit detection.
Release at: https://github.com/PyAna/PyAna
- From commandline type: PyAna.py [shellcode]
- Ex: PyAna.py Samples/UrlDownloadToFile.sc
- Show eport:
PyAna depends on :
- Implement in Python using Unicorn binding.
- Emulating a simple shellcode: calc, UrlDownloadToFile.
- Windows system structure emulator is not complete.
- A few of Win32 API hooking.
- Only support 32 bit.
- support PE file on Windows
- support unpacking
- apply on fuzzing, exploit detection.