Straverse is a cross-platform static file signature scanner.
Sigscanning is a multi-step process involving extracting function signatures from a binary and then scanning for them at run-time to locate an otherwise-hidden function.
Given a signature (i.e. an array of bytes) and an input file, straverse tries to locate an address the said signature occurs, be it one or multiple times.
I wanted something portable and cross platform. Also, I find it very convenient to run a simple python program as opposed to executing something like IDA and running a script against a file.
Requirements are all included in requirements.txt
It's recommended, as always, to use virtualenv.
Assuming python3
points to Python version 3:
$ virtualenv --python=/usr/bin/python3 <directory>
$ source <directory>/bin/activate
$ pip install -r requirements.txt
$ cp config.example.json config.json
$ $EDITOR config.json
$ ./straverse.py --help
TBA
TBA
TBA
TBA
Analyzing a portable executable where located bytes are not in .text
will
most likely display wrong bytes. This can be manually fixed (fixpe
).
Also, whilst dereferencing, keep in mind the relative offseting.
The proper way to do this would be at application runtime.