Features
The tool can be used for the static and dynamic analysis of ELF files on the Linux x86/x64 platform.
Static analysis
- Basic Information: md5, name, file type, size and SSDEEP.
- SO Files Dependency: SO files information (only applied for dynamic linked files).
- Strings Information.
- ELF Header and Entry Point.
- IP and PORTS
- ELF Segment, Section and Hash.
- Source File Names.
Dynamic analysis
- Starting and Termination: Time Stamps and Elapsed Time.
- Processes Information: clone, execve and exit etc.
- File I/O: open, read, write and delete etc.
- Network: TCP, UDP, HTTP and HTTPS etc.
- Typical Malicous Actions: self deletion, midification and lock.
- API Information: getpid, system, dup and other libc functions.
- syscall sequences.
- [new added] memory analysis
- [new added] log to html
功能清单
开源代码支持Linux x86/x64 平台上的ELF文件的自动化静态动态分析功能。
静态分析
- 基础信息:包括文件md5,名称,类型,大小和SSDEEP等信息。
- 依赖so信息:对于动态链接的文件,输出依赖的so信息。
- 字符串信息
- ELF头信息,入口点
- IP和端口信息
- ELF段信息,节信息和hash值
- 源文件名称
动态分析
- 动态运行启动结束信息:耗时等
- 进程信息:clone系统调用,execve调用,进程创建结束等
- 文件操作信息:打开,读取,修改,删除等文件IO操作
- 网络信息:TCP, UDP, HTTP, HTTPS, SSL等信息
- 典型恶意行为:自删除,自修改和自锁定等
- API信息:getpid, system, dup 等libc函数调用
- syscall 序列信息
- [新加] 内存分析
- [新加] 日志格式增加HTML格式