ghostisanonymous007-sketch/arqre
GitHub: ghostisanonymous007-sketch/arqre
一款跨平台的逆向工程终端工具包,提供二进制分析、恶意软件分类与威胁评估能力。
Stars: 0 | Forks: 0
# ArqRE
用于二进制分析、恶意软件分类和威胁评估的逆向工程终端工具包。可在 **Kali Linux** 和 **Windows** 上运行。
```
# Kali Linux
$ arqre scan /usr/bin/nmap --verbose --report html
$ arqre diff /bin/ls /bin/cat
$ arqre strings malware.bin --type url --json
$ arqre disasm payload --arch x64 --section .text
# Windows
$ arqre scan suspicious.exe --verbose --report html
$ arqre diff original.exe patched.exe
$ arqre hexdump suspicious.bin --offset 0x1000 --length 512
```
## 功能
- **全流程扫描** - hashes、entropy heatmap、imports、strings、packer detection、YARA、threat correlation
- **深度 PE 分析** - Rich Header compiler fingerprint、overlay detection、TLS callbacks、Authenticode signatures
- **IAT reconstruction** - 通过 GetProcAddress/LoadLibrary 字符串引用检测动态 API resolution
- **二进制对比 (Binary diff)** - 节 (section) 与导入 (imports) 的结构化对比,以及字节级相似度分析
- **智能 string 提取** - 分类 URLs、IPs、注册表路径、APIs、crypto、C2 indicators、base64
- **多架构反汇编** - 通过 Capstone 支持 x86、x64、ARM32、ARM64、MIPS
- **Entropy heatmap** - 彩色 ASCII 条形图展示节 (section) 的 entropy 分布
- **Threat correlation** - 交叉引用 imports、strings 和 sections 以重构攻击链
- **Packer detection** - 识别 UPX、VMProtect、Themida、ASPack、MPRESS 等
- **YARA 集成** - 支持使用内置 packer/malware signatures 进行自定义规则扫描
- **HTML 报告** - 使用 Jinja2 生成的暗色主题报告,便于分享结果
- **支持脚本化** - 使用 `--json` 进行管道传输,使用 `--quiet` 输出单行结论
- **插件系统** - 支持热重载的 hooks,可用于扫描前/后处理、string、import 和 section 分析
- **PE & ELF** - 均通过 LIEF 解析(计划支持 Mach-O)
- **跨平台** - 支持 Kali Linux 和 Windows
## 安装说明
```
pip install -e ".[dev]"
```
需要 Python 3.10+。核心依赖:`typer`、`rich`、`capstone`、`lief`、`yara-python`、`pydantic`、`jinja2`。
## 命令
| 命令 | 描述 |
|---------|-------------|
| `arqre scan ` | 完整分析流程 |
| `arqre diff ` | 对比两个二进制文件 |
| `arqre strings ` | 提取并分类 strings |
| `arqre disasm ` | 反汇编二进制文件的节 (sections) |
| `arqre hexdump ` | 彩色 hex+ASCII 转储 |
| `arqre lookup ` | 计算 hash 并查询 VirusTotal |
| `arqre plugin ` | 管理插件 |
### 扫描选项
| 标志 | 描述 |
|------|-------------|
| `--verbose, -V` | 显示所有 imports 和 strings |
| `--json, -j` | 以 JSON 格式输出 |
| `--quiet, -q` | 仅输出单行结论 |
| `--report html` | 生成 HTML 报告 |
| `--output, -o` | 报告输出路径 |
| `--rules` | 自定义 YARA 规则目录 |
### 示例:Kali Linux
```
$ arqre scan /usr/bin/nmap
+-------------------------------------------+
| ArqRE v1.0 -- scan nmap |
+-------------------------------------------+
File Info
+------------------------------------------------+
| Name | nmap |
| Type | ELF64 |
| Architecture | X64 |
+------------------------------------------------+
```
### 示例:Windows
```
$ arqre scan suspicious.exe
+-------------------------------------------+
| ArqRE v1.0 -- scan suspicious.exe |
+-------------------------------------------+
File Info
+------------------------------------------------+
| Name | suspicious.exe |
| Type | PE64 |
| Architecture | X64 |
| Compiler | MSVC |
+------------------------------------------------+
Sections (Entropy Heatmap)
+------------------------------------------------+
| Name | Entropy | Heatmap | Flags | Status |
|--------+---------+------------+-------+--------|
| .text | 7.82 | #########- | R X | - |
| .rsrc | 7.94 | ######### | R W | !! HIGH|
+------------------------------------------------+
>> Reconstructed Attack Chain
+-- Step 1: Packed with UPX (80%)
+-- Step 2: Potential process injection (85%)
`-- Step 3: Network communication with remote servers (70%)
+---------------------------------- Verdict ----------+
| Classification: MALICIOUS |
| Confidence: 79% ========--- |
+----------------------------------------------------+
```
## 编程式调用
```
from arqre.core.analyzer import scan_file
from arqre.core.diff import compare_binaries
from arqre.core.strings import analyze_strings
from pathlib import Path
# 适用于任何 binary - Kali 上的 ELF,Windows 上的 PE
result = scan_file(Path("/usr/bin/nmap"))
print(result.threat_level, result.overall_confidence)
diff = compare_binaries(Path("a.bin"), Path("b.bin"))
print(f"Byte similarity: {diff.byte_similarity:.1%}")
strings = analyze_strings(Path("malware.bin"))
for s in strings:
if s.classification == s.classification.URL:
print(f"URL at 0x{s.offset:x}: {s.value}")
```
## 插件开发
在 `plugins/` 目录下创建一个 `.py` 文件:
```
def register_hooks(hooks):
hooks["post_scan"].append(my_post_scan)
def my_post_scan(result):
# Add custom analysis to scan result
pass
```
加载:`arqre plugin load my_plugin`
## 测试
```
pip install -e ".[dev]"
pytest tests/ -v
```
## 项目结构
```
arqre/
cli.py # Typer CLI entry point
core/
analyzer.py # Master orchestrator + correlation
diff.py # Binary diff engine
disassembler.py # Capstone multi-arch disassembly
entropy.py # Entropy analysis + ASCII heatmap
formatter.py # Rich terminal output
hashes.py # MD5/SHA1/SHA256/ssdeep/imphash
iat_reconstruct.py # Dynamic API resolution detection
imports.py # PE/ELF parsing via LIEF
overlay.py # PE overlay (appended data) detection
packer.py # Packer detection heuristics
rich_header.py # PE Rich Header compiler fingerprinting
signature.py # Authenticode signature extraction/verification
signatures.py # YARA rule matching
strings.py # Smart string extraction + classification
tls.py # TLS callback detection
models/
scan_result.py # Pydantic data models
plugins/
loader.py # Plugin discovery + hot-reload
reports/
html_report.py # Jinja2 HTML report generation
utils/
hexdump.py # Color hex+ASCII dump
vt.py # VirusTotal hash lookup (optional)
rules/
packers.yar # Bundled YARA rules
tests/ # 56 tests
```
## 许可证
MIT
标签:Capstone, DAST, DNS 反向解析, Python, YARA, 二进制分析, 云安全运维, 云资产可视化, 云资产清单, 威胁情报, 开发者工具, 恶意软件分析, 无后门, 网络信息收集, 逆向工具, 逆向工程