Cisco-Talos/Barbervisor Cisco-Talos/Barbervisor

  • Stars
    star
    145
  • Rank 252,660 (Top 6 %)
  • Language
    Rust
  • License
    Apache License 2.0
  • Created about 4 years ago
  • Updated almost 4 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
Cisco-Talos/Barbervisor
github

Cisco-Talos

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Intel x86 bare metal hypervisor for researching snapshot fuzzing ideas.

Barbervisor

Intel x86 bare metal hypervisor for researching snapshot fuzzing ideas.

The blog describing the development can be found here

The underlying kernel for this hypervisor is Orange Slice by Brandon Falk and the packet structure for network traffic is a fork of smoltcp.

Building

Ensure i586-pc-windows-msvc and x86_64-pc-windows-msvc toolchains are installed and running nightly Rust.

> rustup target add i586-pc-windows-msvc
> rustup target add x86_64-pc-windows-msvc 

> rustup toolchain list
nightly-x86_64-pc-windows-msvc (default)

Download LLVM and have lld-link in the path. Download NASM and have nasm in the path.

Change the IP address in tftp-server/src/main to bind to the wanted network address.

> cargo run

Snapshots

Snapshots are currently gathered from VirtualBox.

After snapshotting from VirtualBox, place the result of writecore at snapshot/snapshot.dmp and the result of .pgmphystofile at snapshot/snapshot.phys. These paths are hard coded and are required for most of the utilities.

Deploying

Copy barberslice.boot and barberslice.kern to a TFTPD server folder configured for PXE booting. Also set the PXE boot filename to barberslice.boot in your DHCP server.

Bochs

The kernel can be tested in Bochs before testing on bare metal.

bochs -q -f emu/bochsrc

Be sure to change the following lines of the bochsrc to point to your local Bochs install:

romimage: file="C:\Users\user\git\bochs\bios\BIOS-bochs-latest", address=0x0, options=none
vgaromimage: file="C:\Users\user\git\bochs\bios\VGABIOS-lgpl-latest"
ata0-master: type=cdrom, path="C:\Users\user\git\barberslice\ipxe\src\bin\ipxe.iso", status=inserted
e1000: enabled=1, mac=52:54:00:12:34:56, ethmod=vnet, ethdev="C:\Users\user\git\barberslice\emu"

iPXE

iPXE build is included if wanted to test in Bochs using PXE.

On linux:

sudo apt-get install liblzma liblzma-dev isolinux mkisofs
git clone https://github.com/ipxe/ipxe
cd ipxe/src
make bin/ipxe.iso EMBED=../../emu/boot.ipxe

Utilities

  • check_address: Return the module+offset and instruction for a given address from the current snapshot
  • corpgen: Generates serialized corpus for shipping to the kernel
  • coverage: Dump module+offset coverage file to load into lighthouse
  • diverage: Legacy utility used to diff a windbg single step trace and a trace dumped from Barberslice
  • find_input: Return all generated files that hit a given address
  • parse_trace: Parses the trace format sent from the hypervisor into a human readable form
  • pci-ids-parser: Parser for dumping PCI information that was going to be added to the kernel (but never was)
  • snapshot: Parses the VirtualBox core dump file and dumps the register state for the kernel to use.
  • tftp-server: Custom TFTP server for communicating with the hypervisor

Docs

The main kernel docs can be found:

cd kernel
cargo doc --open

The utilities also have READMEs giving a high level overview of what the tool is used for.

More Repositories

1

clamav

ClamAV - Documentation is here: https://docs.clamav.net
C
3,200
star
2

pyrebox

Python scriptable Reverse Engineering Sandbox, a Virtual Machine instrumentation and inspection framework based on QEMU
C
1,604
star
3

GhIDA

Python
714
star
4

mutiny-fuzzer

Python
530
star
5

MBRFilter

Cisco Talos MBR Filter Driver
C
318
star
6

moflow

Release Branches for MoFlow
C++
296
star
7

ROPMEMU

ROPMEMU is a framework to analyze, dissect and decompile complex code-reuse attacks.
Python
282
star
8

Decept

Decept Network Protocol Proxy
Python
259
star
9

Ghidraaas

Python
207
star
10

DynDataResolver

Python
204
star
11

binary_function_similarity

Jupyter Notebook
186
star
12

fnc-1

Fake News Challenge
Python
173
star
13

BASS

BASS - BASS Automated Signature Synthesizer
Python
171
star
14

file2pcap

C
162
star
15

TeslaDecrypt

Decryption Tool
C++
132
star
16

snort-faq

Snort FAQ
110
star
17

osquery_queries

Cisco Orbital - Osquery queries by Talos
96
star
18

FIRST

91
star
19

snap_wtf_macos

WTF Snapshot fuzzing of macOS targets
Python
86
star
20

FIRST-plugin-ida

Python
85
star
21

Winbox_Protocol_Dissector

Lua
67
star
22

locky

C
66
star
23

pylocky_decryptor

Python
64
star
24

cvdupdate

ClamAV Private Database Mirror Updater Tool
Python
62
star
25

smi_check

Smart Install Client Scanner
Python
61
star
26

clamav-bytecode-compiler

ClamAV ByteCode Compiler
C
60
star
27

covnavi

Python
59
star
28

IOCs

Indicators of Compromise
55
star
29

Mussels

Python
43
star
30

CASC

Python
40
star
31

clamav-safebrowsing

Python
37
star
32

freesentry

C++
34
star
33

clamav-docker

Dockerfiles for the ClamAV project
Shell
34
star
34

Re2Pcap

Python
33
star
35

oil-pumpjack

Oil Pumpjack: open source materials to create your own oil pumpjack managed by an Arduino
Python
31
star
36

FIRST-server

CSS
30
star
37

clamav-fuzz-corpus

Seed Corpus for clamav-devel oss-fuzz integration.
HTML
30
star
38

flokibot

Python
25
star
39

remcos-decoder

Talos Decryptor POC for Remcos RAT version 2.0.5 and earlier
Python
21
star
40

crashdog

C
15
star
41

badgerboard

Verilog
14
star
42

Daemonlogger

The Official Github Repository of Daemonlogger
C
14
star
43

useful-tools

Python
14
star
44

Nim-IDA-FLIRT-Generator

Nim-IDA-FLIRT-Generator
Python
13
star
45

clamav-documentation

ClamAV Documentation
JavaScript
13
star
46

clamav-mussels-cookbook

12
star
47

snort2-docker

Vim Script
10
star
48

ida_tilegx

C
6
star
49

NibiruDecrypt

C#
6
star
50

mussels-recipe-scrapbook

2
star
51

Threat-Round-Up

1
star
52

clamav-async-rs

1
star