ghostisanonymous007-sketch/arqre

GitHub: ghostisanonymous007-sketch/arqre

一款跨平台的逆向工程终端工具包,提供二进制分析、恶意软件分类与威胁评估能力。

Stars: 0 | Forks: 0

# ArqRE 用于二进制分析、恶意软件分类和威胁评估的逆向工程终端工具包。可在 **Kali Linux** 和 **Windows** 上运行。 ``` # Kali Linux $ arqre scan /usr/bin/nmap --verbose --report html $ arqre diff /bin/ls /bin/cat $ arqre strings malware.bin --type url --json $ arqre disasm payload --arch x64 --section .text # Windows $ arqre scan suspicious.exe --verbose --report html $ arqre diff original.exe patched.exe $ arqre hexdump suspicious.bin --offset 0x1000 --length 512 ``` ## 功能 - **全流程扫描** - hashes、entropy heatmap、imports、strings、packer detection、YARA、threat correlation - **深度 PE 分析** - Rich Header compiler fingerprint、overlay detection、TLS callbacks、Authenticode signatures - **IAT reconstruction** - 通过 GetProcAddress/LoadLibrary 字符串引用检测动态 API resolution - **二进制对比 (Binary diff)** - 节 (section) 与导入 (imports) 的结构化对比,以及字节级相似度分析 - **智能 string 提取** - 分类 URLs、IPs、注册表路径、APIs、crypto、C2 indicators、base64 - **多架构反汇编** - 通过 Capstone 支持 x86、x64、ARM32、ARM64、MIPS - **Entropy heatmap** - 彩色 ASCII 条形图展示节 (section) 的 entropy 分布 - **Threat correlation** - 交叉引用 imports、strings 和 sections 以重构攻击链 - **Packer detection** - 识别 UPX、VMProtect、Themida、ASPack、MPRESS 等 - **YARA 集成** - 支持使用内置 packer/malware signatures 进行自定义规则扫描 - **HTML 报告** - 使用 Jinja2 生成的暗色主题报告,便于分享结果 - **支持脚本化** - 使用 `--json` 进行管道传输,使用 `--quiet` 输出单行结论 - **插件系统** - 支持热重载的 hooks,可用于扫描前/后处理、string、import 和 section 分析 - **PE & ELF** - 均通过 LIEF 解析(计划支持 Mach-O) - **跨平台** - 支持 Kali Linux 和 Windows ## 安装说明 ``` pip install -e ".[dev]" ``` 需要 Python 3.10+。核心依赖:`typer`、`rich`、`capstone`、`lief`、`yara-python`、`pydantic`、`jinja2`。 ## 命令 | 命令 | 描述 | |---------|-------------| | `arqre scan ` | 完整分析流程 | | `arqre diff ` | 对比两个二进制文件 | | `arqre strings ` | 提取并分类 strings | | `arqre disasm ` | 反汇编二进制文件的节 (sections) | | `arqre hexdump ` | 彩色 hex+ASCII 转储 | | `arqre lookup ` | 计算 hash 并查询 VirusTotal | | `arqre plugin ` | 管理插件 | ### 扫描选项 | 标志 | 描述 | |------|-------------| | `--verbose, -V` | 显示所有 imports 和 strings | | `--json, -j` | 以 JSON 格式输出 | | `--quiet, -q` | 仅输出单行结论 | | `--report html` | 生成 HTML 报告 | | `--output, -o` | 报告输出路径 | | `--rules` | 自定义 YARA 规则目录 | ### 示例:Kali Linux ``` $ arqre scan /usr/bin/nmap +-------------------------------------------+ | ArqRE v1.0 -- scan nmap | +-------------------------------------------+ File Info +------------------------------------------------+ | Name | nmap | | Type | ELF64 | | Architecture | X64 | +------------------------------------------------+ ``` ### 示例:Windows ``` $ arqre scan suspicious.exe +-------------------------------------------+ | ArqRE v1.0 -- scan suspicious.exe | +-------------------------------------------+ File Info +------------------------------------------------+ | Name | suspicious.exe | | Type | PE64 | | Architecture | X64 | | Compiler | MSVC | +------------------------------------------------+ Sections (Entropy Heatmap) +------------------------------------------------+ | Name | Entropy | Heatmap | Flags | Status | |--------+---------+------------+-------+--------| | .text | 7.82 | #########- | R X | - | | .rsrc | 7.94 | ######### | R W | !! HIGH| +------------------------------------------------+ >> Reconstructed Attack Chain +-- Step 1: Packed with UPX (80%) +-- Step 2: Potential process injection (85%) `-- Step 3: Network communication with remote servers (70%) +---------------------------------- Verdict ----------+ | Classification: MALICIOUS | | Confidence: 79% ========--- | +----------------------------------------------------+ ``` ## 编程式调用 ``` from arqre.core.analyzer import scan_file from arqre.core.diff import compare_binaries from arqre.core.strings import analyze_strings from pathlib import Path # 适用于任何 binary - Kali 上的 ELF,Windows 上的 PE result = scan_file(Path("/usr/bin/nmap")) print(result.threat_level, result.overall_confidence) diff = compare_binaries(Path("a.bin"), Path("b.bin")) print(f"Byte similarity: {diff.byte_similarity:.1%}") strings = analyze_strings(Path("malware.bin")) for s in strings: if s.classification == s.classification.URL: print(f"URL at 0x{s.offset:x}: {s.value}") ``` ## 插件开发 在 `plugins/` 目录下创建一个 `.py` 文件: ``` def register_hooks(hooks): hooks["post_scan"].append(my_post_scan) def my_post_scan(result): # Add custom analysis to scan result pass ``` 加载:`arqre plugin load my_plugin` ## 测试 ``` pip install -e ".[dev]" pytest tests/ -v ``` ## 项目结构 ``` arqre/ cli.py # Typer CLI entry point core/ analyzer.py # Master orchestrator + correlation diff.py # Binary diff engine disassembler.py # Capstone multi-arch disassembly entropy.py # Entropy analysis + ASCII heatmap formatter.py # Rich terminal output hashes.py # MD5/SHA1/SHA256/ssdeep/imphash iat_reconstruct.py # Dynamic API resolution detection imports.py # PE/ELF parsing via LIEF overlay.py # PE overlay (appended data) detection packer.py # Packer detection heuristics rich_header.py # PE Rich Header compiler fingerprinting signature.py # Authenticode signature extraction/verification signatures.py # YARA rule matching strings.py # Smart string extraction + classification tls.py # TLS callback detection models/ scan_result.py # Pydantic data models plugins/ loader.py # Plugin discovery + hot-reload reports/ html_report.py # Jinja2 HTML report generation utils/ hexdump.py # Color hex+ASCII dump vt.py # VirusTotal hash lookup (optional) rules/ packers.yar # Bundled YARA rules tests/ # 56 tests ``` ## 许可证 MIT
标签:Capstone, DAST, DNS 反向解析, Python, YARA, 二进制分析, 云安全运维, 云资产可视化, 云资产清单, 威胁情报, 开发者工具, 恶意软件分析, 无后门, 网络信息收集, 逆向工具, 逆向工程