enkomio/Sojobo enkomio/Sojobo

  • Stars
    star
    128
  • Rank 281,044 (Top 6 %)
  • Language
    F#
  • License
    Other
  • Created over 5 years ago
  • Updated almost 4 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
enkomio/Sojobo
github

enkomio

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A binary analysis framework

Sojobo - A binary analysis framework

Sojobo is an emulator for the B2R2 framework. It was created to easier the analysis of potentially malicious files. It is totally developed in .NET so you don't need to install or compile any other external libraries (the project is self contained).

With Sojobo you can:

  • Emulate a (32 bit) PE binary
  • Inspect the memory of the emulated process
  • Read the process state
  • Display a disassembly of the executed code
  • Emulate functions in a managed language (C# || F#)

Tools using Sojobo

  • ADVDeobfuscator

ADV Deobfuscator - A string deobfuscator for ADVObfuscator

ADVDeobfuscator is tool based on the Sojobo binary analysis framework that analyzes a binary obfuscated with ADBObfuscator and decodes the identified strings.

Download

A compiled version is available to Community sponsored users. If you are a sponsored user you can download the binary from: https://github.com/enkomio-sponsor/compiled_binaries

Documentation

The image below shows an execution of ADVDeobfuscator on the Conti Ransomware.

The image below shows an execution of ADVDeobfuscator on the Taurus Stealer (see also Predator the thief).

I wrote a blog post on how to deobfuscate the Team 9 binaries.

Using Sojobo

Sojobo is intended to be used as a framework to create program analysis utilities. However, various sample utilities were created in order to show how to use the framework in a profitable way.

Download

Documentation

The project is fully documented in F# (cit.) :) Joking apart, I plan to write some blog posts related to how to use Sojobo. Below a list of the current posts:

You can also read the API documentation.

Compile

In order to compile Sojobo you need .NET Core to be installed and Visual Studio. To compile just run build.bat.

License

Copyright (C) 2019 Antonio Parata - @s4tan

Sojobo is licensed under the Creative Commons.

More Repositories

1

Taipan

Web application vulnerability scanner
441
star
2

AlanFramework

A C2 post-exploitation framework
Assembly
428
star
3

shed

.NET runtime inspector
C#
250
star
4

ManagedInjector

A C# DLL injection library
C#
170
star
5

thematrix

a PE Loader and Windows API tracer. Useful in malware analysis.
Assembly
128
star
6

sacara

Sacara VM
F#
122
star
7

BrokenFlow

A simple PoC to invoke an encrypted shellcode by using an hidden call
Assembly
112
star
8

Anathema

.NET instrumentation framework
F#
74
star
9

RunDotNetDll

A simple utility to list all methods of a given .NET Assembly and to invoke them
C#
63
star
10

Misc

A repository with simple projects created for testing/learning purpose
F#
45
star
11

s4tanic0d3

Crackme challenge
Assembly
17
star
12

ProgramUpdater

PUF - Program Updater Framework. A library to easier the task of program updating
F#
14
star
13

MacroInspector

A tool to dynamically inspect macro execution in Office documents
Python
13
star
14

MealyObfuscator

String obfuscator based on the Mealy automata
F#
12
star
15

Mandolin0

A tool to brute force forms based authentication mechanism
HTML
11
star
16

Fslog

Fslog is a simple yet powerful F# logging framework
F#
9
star
17

Conferences

This repository contains the material of the talks that I had at various security conferences
C#
5
star
18

SATEP

Static Analysis Tool Evaluation Project
PHP
2
star
19

media

repository to store media file related to other projects
1
star
20

enkomio

1
star