Skip to content

alicangnll/SandAnalyze

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

77 Commits

classes

classes

 
 

examples/rootfs

examples/rootfs

 
 

exefiles

exefiles

 
 

pic

pic

 
 

README.md

README.md

 
 

dllscollector.bat

dllscollector.bat

 
 

dylibcollector_macos.sh

dylibcollector_macos.sh

 
 

example_android.py

example_android.py

 
 

example_ios.py

example_ios.py

 
 

example_win_diskanaylze.py

example_win_diskanaylze.py

 
 

example_win_sandbox.py

example_win_sandbox.py

 
 

requirements.txt

requirements.txt

 
 

Repository files navigation

🚀 SandAnalyze - Simulate Windows EXE on Linux or macOS!

❓What is This ?

ENGLISH

SandAnalyze is a program that allows you to examine Windows EXE files on Linux with the help of GDB Debugger or QDB Debugger and perform operations on memory.

TURKISH

SandAnalyze, Linux üzerinde Windows EXE dosyalarını GDB Debugger veya QDB Debugger yardımıyla inceleyebileceğiniz ve memory üzerinde işlem yapabileceğiniz bir programdır.

❗Supports

  • Windows (EXE and BIN)
  • macOS (DMG and BIN)
  • Android (APK, Testing)
  • iOS (APK, Testing)


😎 Installation

ENGLISH


First, run the "dllscollector.bat" file on a Windows computer. If the file you want to examine is 32 bit, copy the EXE file into the "examples/rootfs/x86_windows/bin" folder, if it is 64 bit, copy the EXE file into the "examples/rootfs/x8664_windows/bin" folder. Then, run the "pip3 install -r requirements.txt" command on a Linux computer and install the Python PIP packages. After all these procedures, you can start examining your EXE file with the "python3 example.py example.exe" command.

TURKISH


Öncelikle, Windows bir bilgisayar üzerinde "dllscollector.bat" dosyasını çalıştırın. İncelemek istediğiniz dosya eğer 32 bit ise "examples/rootfs/x86_windows/bin" klasörü içerisine, 64 bit ise "examples/rootfs/x8664_windows/bin" klasörü içerisine EXE dosyasını kopyalayın Ardından Linux bir bilgisayar üzerinden "pip3 install -r requirements.txt" komutunu çalıştırıp Python PIP paketlerini kurun. Tüm bu işlemlerden sonra "python3 example.py example.exe" komutuyla EXE dosyanızı incelemeye başlayabilirsiniz.



📷 Video

Installation
Proof of Concepts

NOTE

UC_ERR_FETCH_UNMAPPED, UC_ERR_WRITE_UNMAPPED and related issues

This is not a "bug". There are several possibilities why these errors occur.
1 - Windows API or syscall not being implemented

SandAnalyze with Qiling Framework tries to emulate various platforms such as Linux, MacOS, Windows, FreeBSD and UEFI. All these platforms come with different archnitecture. Its not possible for SandAnalyze with Qiling Framework to be able to emulate all these syscall/API. Community help is needed.

2 - Some specific requiremments are needed. Firmware might need interface br0 and a users testing enviroment might not have it. In this case, ql.patch will come in handy.

3 - Required files are missing.

Missing conifig file or library can cause the targeted binary fail to run properly. It is adviseble to always turn on debugging or disassambly mode to pintpoint the issue and try to resolve it. Technically, this is not a bug but rather a feature.



Powered by Qiling Framework

About

Simulate Windows EXE for Malware Research!

alicangonullu.com

Topics

python python-script gdb python3 malware-analysis malware-research gdb-server malware-detection gdbserver qiling qiling-framework python-qiling

Resources

Readme
Activity

Stars

17 stars

Watchers

1 watching

Forks

2 forks
Report repository

Releases

3 tags

Packages

No packages published

Languages