Static binary analysis tool to compute shared strings references between binaries and output in JSON, YAML and YARA

StrTwins

strTwinsCI

StrTwins is a binary analysis tool, powered by radare, that is capable to find shared code string references between executables and output in JSON, YAML and Yara.

How this works

Code string references refer to direct access in the binary code to the string address itself, that's is great filter to detect which visibile strings are actually used inside the software.

So, in other words it means that strTwins will look only strings that are actually used by the software itself, compute every ocurrencies in all files and output only shared string between them.

Installing

The current version were just tested only on Linux and macOS, but it's possible to compile from source to another system.

In order to use strTwins, you will need to have radare2 installed in your machine.

From release

You can just go the Releases page and grab the binary for your system!

Compiling from source

As it's written in golang, it's very simple to compile with just:

go get github.com/AandersonL/strTwins

And if your PATH variable points to your $GOPATH/bin directory, you can start use by calling

$ strTwins -h

How this works in practice

Consider this simple two programs:

// Prog 1
const char* url  = "https://google.com";
const char* url2 = "https://reddit.com";

some_random_function(url, url2);
...

// Prog 2
const char* url  = "https://google.com";
const char* url2 = "https://youtube.com";
some_random_function(url, url2);

Running:

strTwins prog1 prog2

https://google.com:
  widestring: false
  instructions:
  - filename: prog1
    contextdisasm: lea rax, str.https:__google.com
    disasm: lea rax, [rip + 0x2f]
    offset: 4294983530
    funcoffset: 4294983504
  - filename: prog2
    contextdisasm: lea rax, str.https:__google.com
    disasm: lea rax, [rip + 0x10]
    offset: 4294983551
    funcoffset: 4294983536

The default output is YAML, so here you can see that https://google.com is a shared string reference between prog1 and prog2 and also you can see what instruction refer to the string address in two formats, a context assembly which will replace the string location with a string symbol, str.https:__google.com, and a disasm that will display the raw asm code in the reference address.

If the reference happens inside a function, it will display the function address in the funcoffset key.

The output is not limited only to YAML, you can easily choose between json and Yara!

Usage

You can easily see the use by passing -h in the command line:

$ ./strTwins -h
Discover shared string references between binaries and output in a variety formats!

Usage:
  strTwins file1, file2... [flags]

Flags:
  -f, --format string     Format to output, available are: json, yaml and Yara! (default "yaml")
  -h, --help              help for strTwins
  -n, --rulename string   Yara rule name, if was choosen as format output!

Example: Emotet malware

Let's use strTwins between 2 emotet samples and output in json and Yara:

JSON output

$ strTwins tests/emotet/* -f json

{
 "GradientFill": {
  "WideString": false,
  "Instructions": [
   {
    "Filename": "tests/emotet/87ea8dd7b7e6805738bc4f31778cc37932f4da9615d215b855bde087eb02b547",
    "ContextDisasm": "push str.GradientFill",
    "Disasm": "push 0x40502c",
    "Offset": 4198430,
    "FuncOffset": 4198400
   },
   {
    "Filename": "tests/emotet/000b0cf537e46c5a93de8ec4672450772d247ea5417692a35ef314679f1d4f4d",
    "ContextDisasm": "push str.GradientFill",
    "Disasm": "push 0x40502c",
    "Offset": 4198430,
    "FuncOffset": 4198400
   }
  ]
 },
 "bMgBo2S1*Ki}V~5n28Si#20f~}M4KZ?dy%@nCMnTQJLc*E4bJ|$A8DSZne4pTXEJ%@PfX3mKBgvXa": {
  "WideString": false,
  "Instructions": [
   {
    "Filename": "tests/emotet/87ea8dd7b7e6805738bc4f31778cc37932f4da9615d215b855bde087eb02b547",
    "ContextDisasm": "mov esi, str.bMgBo2S1KiV5n28Si20fM4KZ_dy__nCMnTQJLcE4bJ_A8DSZne4pTXEJ__PfX3mKBgvXa",
    "Disasm": "mov esi, 0x4058c8",
    "Offset": 4205772,
    "FuncOffset": 0
   },
   {
    "Filename": "tests/emotet/000b0cf537e46c5a93de8ec4672450772d247ea5417692a35ef314679f1d4f4d",
    "ContextDisasm": "mov esi, str.bMgBo2S1KiV5n28Si20fM4KZ_dy__nCMnTQJLcE4bJ_A8DSZne4pTXEJ__PfX3mKBgvXa",
    "Disasm": "mov esi, 0x4058c8",
    "Offset": 4205772,
    "FuncOffset": 0
   }
  ]
 },
 "msimg32.dll": {
  "WideString": false,
  "Instructions": [
   {
    "Filename": "tests/emotet/87ea8dd7b7e6805738bc4f31778cc37932f4da9615d215b855bde087eb02b547",
    "ContextDisasm": "push str.msimg32.dll",
    "Disasm": "push 0x405020",
    "Offset": 4198414,
    "FuncOffset": 4198400
   },
   {
    "Filename": "tests/emotet/000b0cf537e46c5a93de8ec4672450772d247ea5417692a35ef314679f1d4f4d",
    "ContextDisasm": "push str.msimg32.dll",
    "Disasm": "push 0x405020",
    "Offset": 4198414,
    "FuncOffset": 4198400
   }
  ]
 }
}

Yara output

$ strTwins tests/emotet/* -f yara -n emotet_dummy_rule

rule emotet_dummy_rule {
	meta:
		description = "Generated rule by strTwins tool"
	strings:
		$0 = "msimg32.dll"
		$1 = "GradientFill"
		$2 = "bMgBo2S1*Ki}V~5n28Si#20f~}M4KZ?dy%@nCMnTQJLc*E4bJ|$A8DSZne4pTXEJ%@PfX3mKBgvXa"
	condition:
		all of them
}

DISCLAIMER: The yara format option is a naive output, don't trust your rules to only this attributes, consider strTwins a helper tool to work with a large dataset of malware.

Known errors

error while loading shared libraries: libr_core.so: cannot open shared object file: No such file or directory

This happens because r2 install it's libraries inside /usr/local/lib on *nix systems, so if your system is not load libraries by it's path you need to add the following line in /etc/ld.so.conf:

/usr/local/lib

And then, rebuild the shared object cache:

sudo ldconfig

Conclusion

This is a experimental tool, if you find any errors and have ideas for code improvements/new features, feel free to open a PR!

Thanks.

Owner
Anderson
Reverse engineer and researcher making strange ideas come true.
Anderson
Similar Resources

SPIRE is a toolchain of APIs for establishing trust between software systems across a wide variety of hosting platforms

SPIRE is a toolchain of APIs for establishing trust between software systems across a wide variety of hosting platforms

SPIRE (the SPIFFE Runtime Environment) is a toolchain of APIs for establishing trust between software systems across a wide variety of hosting platforms

May 10, 2022

Static configuration extractor for Hancitor Loader

Static configuration extractor for Hancitor Loader

hanConfig hanConfig is a static configuration extractor implemented in Golang for the Hancitor Loader (targeting Microsoft Windows, Malpedia). By defa

Dec 3, 2021

🗺 Allows quick generation of basic network plans based on nmap and scan6 output.

NPlan Transforms nmap XML into intermediate JSON and generates a basic network plan in the DrawIO XML format. Installation Just run go install github.

Mar 10, 2022

WIP. Converts Azure Container Scan Action output to SARIF, for an easier integration with GitHub Code Scanning

container-scan-to-sarif container-scan-to-sarif converts Azure Container Scan Action output to Static Analysis Results Interchange Format (SARIF), for

Jan 25, 2022

Go binary that finds .EXEs and .DLLs on the system that don't have security controls enabled

Go Hunt Weak PEs Go binary that finds .EXEs and .DLLs on the system that don't have security controls enabled (ASLR, DEP, CFG etc). Usage $ ./go-hunt-

Oct 28, 2021

Curl & exec binary file in one step. Also a kind of stealth dropper.

Curl & exec binary file in one step. Also a kind of stealth dropper.

curlNexec 👋 Certainly useful , mainly for fun, rougly inspired by 0x00 article Short story curlNexec enable us to execute a remote binary on a local

May 5, 2022

A simple, modern and secure encryption tool (and Go library) with small explicit keys, no config options, and UNIX-style composability.

age age is a simple, modern and secure file encryption tool, format, and library. It features small explicit keys, no config options, and UNIX-style c

May 6, 2022

DirDar is a tool that searches for (403-Forbidden) directories to break it and get dir listing on it

DirDar is a tool that searches for (403-Forbidden) directories to break it and get dir listing on it

DirDar v1.0 Description 🏴‍☠️ bypass forbidden directories - find and identify dir listing - you can use it as directory brute-forcer as well Compatab

May 2, 2022

A fast tool to mass scan for a vulnerability on Microsoft Exchange Server that allows an attacker bypassing the authentication and impersonating as the admin (CVE-2021-26855).

A fast tool to mass scan for a vulnerability on Microsoft Exchange Server that allows an attacker bypassing the authentication and impersonating as the admin (CVE-2021-26855).

proxylogscan This tool to mass scan for a vulnerability on Microsoft Exchange Server that allows an attacker bypassing the authentication and imperson

Apr 16, 2022
Monmind - obfuscate multiple strings & hide text from binary searching
 Monmind - obfuscate multiple strings & hide text from binary searching

Monmind - obfuscate multiple strings & hide text from binary searching Obfuscation strings in golang code INSTALL You can install monmind by running:

May 11, 2022
Lightweight static analysis for many languages. Find bug variants with patterns that look like source code.

Lightweight static analysis for many languages. Find bugs and enforce code standards. Semgrep is a fast, open-source, static analysis tool that finds

May 8, 2022
go-opa-validate is an open-source lib that evaluates OPA (open policy agent) policy against JSON or YAML data.
go-opa-validate is an open-source lib that evaluates OPA (open policy agent) policy against JSON or YAML data.

go-opa-validate go-opa-validate is an open-source lib that evaluates OPA (open policy agent) policy against JSON or YAML data. Installation Usage Cont

Feb 5, 2022
Scan and analyze OSS dependencies and licenses from compiled Go binaries
Scan and analyze OSS dependencies and licenses from compiled Go binaries

golicense - Go Binary OSS License Scanner golicense is a tool that scans compiled Go binaries and can output all the dependencies, their versions, and

May 13, 2022
Analyse binaries for missing security features, information disclosure and more.
Analyse binaries for missing security features, information disclosure and more.

extrude Analyse binaries for missing security features, information disclosure and more. ?? Extrude is in the early stages of development, and current

Apr 23, 2022
linenoise is a library that generates strings of random characters that can be used as reasonably secure passwords.

linenoise linenoise is a library that generates strings of random characters (herein called a "noise") that can be used as reasonably secure passwords

Nov 29, 2021
🌘🦊 DalFox(Finder Of XSS) / Parameter Analysis and XSS Scanning tool based on golang
🌘🦊 DalFox(Finder Of XSS) / Parameter Analysis and XSS Scanning tool based on golang

Finder Of XSS, and Dal(달) is the Korean pronunciation of moon. What is DalFox ?? ?? DalFox is a fast, powerful parameter analysis and XSS scanner, bas

May 8, 2022
ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file.
ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file.

ZipExec ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file. This zip file is then base64 encoded i

May 15, 2022
Implementations of the Coconut signing scheme, cross-compatible between Rust and Go.

Coconut Coconut [paper] is a distributed cryptographic signing scheme providing a high degree of privacy for its users. You can find an overview of ho

Apr 22, 2022