Xori - An Automation-Ready Disassembly As Well As Static Analysis Library For Pe32, 32+ As Well As Shellcode


Xori is an automation-ready disassembly in addition to static analysis library that consumes shellcode or PE binaries in addition to provides triage analysis data.

Acknowledgements:
Xori wouldn't be without inspiration in addition to ideas from the opened upwards source community. We are indebted to the piece of work of the Capstone engine in addition to the LLVM Project.

Architectures:
  • i386
  • x86-64

File Formats
  • PE, PE+
  • Plain shellcode

Current Features
  • Outputs json of the 1) Disassembly, 2) Functions, in addition to 3) Imports.
  • Manages Image in addition to Stack memory.
  • 2 modes:
    • Light Emulation - meant to enumerate all paths (Registers, Stack, Some Instructions).
    • Full Emulation - entirely follows the code’s path (Slow performance).
  • Simulated TEB & PEB structures.
  • Evaluates functions based on DLL exports.
  • Displays strings based on referenced retentivity locations.
  • Uses FLIRT vogue signatures (Fast Library Identification in addition to Recognition Technology).
  • Allows y'all to work your ain exports for simulating the PEB.
  • Will discovery padding later on a non-returning call.
  • Will essay to position component references from offsets.
What it doesn't produce yet:
  • The engine is interactive.
  • Does non dump strings.
  • Does non procedure non-executable sections.
  • TEB in addition to PEB are non enabled for non-pe files.
  • Only roughly x86 instructions are emulated, non all.
  • Patching in addition to assembling.
  • No plugins or scripting.

Documentation

Requirements
rustc 1.27.0

Install rust for OSX & Linux Distros
curl https://sh.rustup.rs -sSf | sh

Install rust for Windows
First larn the rustup.exe (the rust toolchain installer) from here.


This tool volition install the rust compiler rustc, the rust bundle director cargo in addition to other usefull tools for evolution inwards rust.
  • run the rustup.exe

Install rust prerequisites
inwards instance y'all come across this output, your Windows surround is missing the Build Tools for Visual Studio then popular off on reading, otherwise become here

  • follow the link from the output, or click here
  • cancel the rustup-init.exe
  • back inwards browser, scroll down, expand the tab Tools for Visual Studio 2017 & download the Build Tools for Visual Studio 2017
  • run the executable
pick out the Visual C++ create tools & click "install", unopen the "Visual Studio Installer" later on the installation


Install rust toolchain
run the rustup.exe & y'all volition come across the next output


later on the successful installation y'all tin come across that the rust compiler rustc, rust bundle director cargo in addition to other tools were installed (under C:\Users\%username%\.cargo & C:\Users\%username%\.rustup)

  • open a novel "Command Prompt" & follow the xori create steps here

Installation

1. Build Xori
This ascendency volition also create other binaries such every bit pesymbols ans peinfo.
git clone https://github.com/endgameinc/xori.git cd xori cargo create --release

2. Create xori.json config file
cp xori.json.example xori.json [edit if desired]

3. (Optional) Build the symbols files
If y'all wish to create your ain symbol files y'all bespeak to laid the dll folders to where y'all stored your windows dlls.
"function_symbol32": "./src/analysis/symbols/generated_user_syswow64.json", "function_symbol64": "./src/analysis/symbols/generated_user_system32.json", "symbol_server": {  "dll_folder32": "./dlls/32bit",  "dll_folder64": "./dlls/64bit"
Run pesymbols to overwrite the function_symbol json
 ./target/release/pesymbols

Run
./target/release/xori -f test.exe

Run all tests
cargo test

Browser GUI
Chrome Firefox Safari IE Opera
Latest ✔ Latest ✔ Latest ✔ x Latest ✔

Requirements
nodejs
yarn (optional for UI dev)
  • On Ubuntu 18.04 y'all may bespeak to apt install the following: curl git libssl-dev pkg-config build-essential npm

Build
cd gui npm install

Run
In i terminal
cd gui node src/server.js
In roughly other terminal
cd gui npm start
It volition opened upwards your default browser to http://localhost:3000/. The backend API is listening on localhost:5000.