CodeHawk Binary Analyzer for malware analysis and general reverse engineering
This repository contains the command-line interface (in python) to run the CodeHawk Binary Analyzer and report its results. The command-line interface can be invoked as follows (adjust paths for actual location):
> export PYTHONPATH=$HOME/CodeHawk-Binary
> export PATH=$HOME/CodeHawk-Binary/chb/cmdline:$PATH
> chkx
This will show an overview of the commands available.
At present the analyzer supports x86 (32-bits), both ELF and PE32, mips32, and arm32 (both ARM and Thumb-2) binaries (ELF only); arm32 is stil under active development and thus somewhat experimental.
The command-line interface requires python3.5 or higher. The analyzer requires a Java runtime environment.
A linux and macOS executable of the CodeHawk Binary Analyzer is available for direct use in the directory chb/bin/binaries; it may not always be the most recent version, however, or it may not be compatible with locally available libraries. It is therefore also possible to build your own from the source code available in the codehawk repository. Build instructions are available here. Upon completion copy the analyzer, chx86_analyze, from the CodeHawk/CHB/bchcmdline directory to the appropriate directory in chb/bin/binaries, or point the Config.py (or ConfigLocal.py) in chb/util/ to its location. You can check the configuration with
> chkx info
Analyzer configuration:
-----------------------
analyzer : /home/myname/codehawk/CodeHawk/CHB/bchcmdline/chx86_analyze (found)
summaries: /home/myname/codehawk/CodeHawk/CHB/bchsummaries/bchsummaries.jar (found)
and check whether it works correctly by running some tests:
> chkx test runall
--ok-- arm32 elf suite_001 test_001
--ok-- x86 elf suite_001 test_001
--ok-- x86 elf suite_001 test_002
--ok-- x86 elf suite_001 test_003
--ok-- x86 elf suite_001 test_004
--ok-- x86 elf suite_001 test_005
--ok-- x86 pe suite_001 test_001.exe
--ok-- x86 pe suite_001 test_002.exe
--ok-- x86 pe suite_001 test_003.exe
--ok-- x86 pe suite_001 test_004.exe
--ok-- x86 pe suite_001 test_005.exe
All 11 tests passed.
> cd
> git clone https://github.com/static-analyis-engineering/CodeHawk-Binary.git
> export PYTHONPATH=$HOME/CodeHawk-Binary
> export PATH=$HOME/CodeHawk-Binary/chb/cmdline:$PATH
>
To disassmble an x86, arm32, or mips32 executable:
> chkx analyze -d mybinary
...
This will show some statistics on the disassembly, but will not perform any analysis. It usually is a good first step, especially if the the binary is large, to check if disassembly succeeded. If this looks okay, analysis can be performed with (use --reset to remove any previous intermediate results):
> chkx analyze mybinary --reset
....
> chkx results stats mybinary
The following commands are available to see more detailed results:
results stats <xname> output a summary of results with one line per function
results functions <xname> ... output a listing of annotated assembly functions
results function <xname> <fn> output a listing of a single annotated assembly function
results cfg <xname> <fn> ... produce a control flow graph for a function (in pdf)
results cfgpaths <xname> <fn> ... find paths throug a cfg with a given target
results appcalls <xname> output a listing of application calls
results dllcalls <xname> output a listing of dll calls (PE32 only)
results stringargs <xname> output a listing of calls with string arguments
results iocs <xname> output a listing of indicators of compromise encountered
Finally, it is usually a good idea to reset the analysis results when re-analyzing a binary that was analyzed before:
> chkx analyze mybinary --reset
to avoid inconsistent intermediate results.