Xori is an automation-ready disassembly and static analysis library for PE32, 32+ and shellcode

Overview

alt text

Xori - Custom disassembly framework

License: AGPL v3

Xori is an automation-ready disassembly and static analysis library that consumes shellcode or PE binaries and provides triage analysis data.

Acknowledgements:

Xori wouldn't exist without inspiration and ideas from the open source community. We are indebted to the work of the Capstone engine and the LLVM Project.

Architectures:

  • i386
  • x86-64

File Formats

  • PE, PE+
  • Plain shellcode

Current Features

  • Outputs json of the 1) Disassembly, 2) Functions, and 3) Imports.
  • Manages Image and Stack memory.
  • 2 modes:
    • Light Emulation - meant to enumerate all paths (Registers, Stack, Some Instructions).
    • Full Emulation - only follows the code’s path (Slow performance).
  • Simulated TEB & PEB structures.
  • Evaluates functions based on DLL exports.
  • Displays strings based on referenced memory locations.
  • Uses FLIRT style signatures (Fast Library Identification and Recognition Technology).
  • Allows you to use your own exports for simulating the PEB.
  • Will detect padding after a non-returning call.
  • Will try to identify function references from offsets.

What it doesn't do yet:

  • The engine is interactive.
  • Does not dump strings.
  • Does not process non-executable sections.
  • TEB and PEB are not enabled for non-pe files.
  • Only some x86 instructions are emulated, not all.
  • Patching and assembling.
  • No plugins or scripting.

Documentation

Requirements

rustc 1.27.0

Install rust for OSX & Linux Distros

curl https://sh.rustup.rs -sSf | sh

Install rust for Windows

First get the rustup.exe (the rust toolchain installer) from here. Screenshoot about rustup installation

This tool will install the rust compiler rustc, the rust package manager cargo and other usefull tools for development in rust.

  • run the rustup.exe

Install rust prerequisites

in case you see this output, your Windows environment is missing the Build Tools for Visual Studio so keep reading, otherwise go here Screenshoot about missing prerequisites

  • follow the link from the output, or click here

  • cancel the rustup-init.exe

  • back in browser, scroll down, expand the tab Tools for Visual Studio 2017 & download the Build Tools for Visual Studio 2017

Screenshoot about build tools installation

  • run the executable

choose the Visual C++ build tools & click "install", close the "Visual Studio Installer" after the installation Screenshoot about build tools installation

Install rust toolchain

run the rustup.exe & you will see the following output Screenshoot about rustup installation

after the successful installation you can see that the rust compiler rustc, rust package manager cargo and other tools were installed (under C:\Users\%username%\.cargo & C:\Users\%username%\.rustup) Screenshoot about rustup installation

  • open a new "Command Prompt" & follow the xori build steps here

Installation

1. Build Xori

This command will also create other binaries such as pesymbols ans peinfo.

git clone https://github.com/endgameinc/xori.git
cd xori
cargo build --release

2. Create xori.json config file

cp xori.json.example xori.json
[edit if desired]

3. (Optional) Build the symbols files

If you want to create your own symbol files you need to set the dll folders to where you stored your windows dlls.

"function_symbol32": "./src/analysis/symbols/generated_user_syswow64.json",
"function_symbol64": "./src/analysis/symbols/generated_user_system32.json",
"symbol_server": {
	"dll_folder32": "./dlls/32bit",
	"dll_folder64": "./dlls/64bit"

Run pesymbols to overwrite the function_symbol json

 ./target/release/pesymbols

Run

./target/release/xori -f test.exe

Run all tests

cargo test

Browser GUI

Chrome Firefox Safari IE Opera
Latest Latest Latest x Latest

Requirements

nodejs

yarn (optional for UI dev)

  • On Ubuntu 18.04 you may need to apt install the following: curl git libssl-dev pkg-config build-essential npm

Build

cd gui
npm install

Run

In one terminal

cd gui
node src/server.js

In another terminal

cd gui
npm start

It will open your default browser to http://localhost:3000/. The backend API is listening on localhost:5000.

Comments
  • Xori install error on Windows 10

    Xori install error on Windows 10

    I've attempted to install Xori on two versions of Windows 10; both the latest and greatest v 1803 as well as the previous version (1709 I believe). Per the requirements: -Installed Rust from https://static.rust-lang.org/dist/rust-1.28.0-x86_64-pc-windows-gnu.msi -Downloaded the zip from https://github.com/endgameinc/xori -Tried installing in CMD window, both with and without Admin privileges using "cargo build --release". -Also tried installing with the same command in a PowerShell window.

    In all cases, I got the attached error message.

    Can you help me troubleshoot this? install-error

    opened by SeattleForensics 7
  • fix endianness of macho magic number check

    fix endianness of macho magic number check

    Before

    $ target/debug/xori -f /bin/cp -o /dev/null
    error: config file does not exist, using default configurations.
     [DEBUG] analyze()
     [DEBUG] binary data header not parsed
     [DEBUG] Identified binary data
     [DEBUG] disassemble()
    IMAGE START:       1000
    CODE START:       1000
    ENTRYPOINT:       1000
    ARCH: ArchX86
    MODE: Mode32
     [DEBUG] stack overflow2
     [DEBUG] is return
    0x1000           CF                   iretd  ; FUNC 0x1000 END
    

    Testing

    $ hexdump /bin/cp | head -c 56
    0000000 cf fa ed fe 07 00 00 01 03 00 00 80 02 00 00 00
    

    analyize.rs:: 147 if test_macho.eq(b"\xFE\xED\xFA\xCE") Change to analyize.rs:: 147 if test_macho.eq(b"\xCF\xFA\xED\xFE")

    After

    $ target/debug/xori -f /bin/cp -o /dev/null
    error: config file does not exist, using default configurations.
     [DEBUG] analyze()
    "MACHO is not supported yet"
    

    My linter removed trailing whitespace. If this is not ideal I can ammend the commit.

    opened by LucienBrule 5
  • slice exception for small sample

    slice exception for small sample

    Using the small 7-byte sample with hex dump 00000000: eb 01 0f 31 c0 40 c3 ...1.@.

    Running the command line analysis xori -f [file]

    results in following exception:

    error: folder does not exist, using current_dir error: config file does not exist, using default configurations. IMAGE START: 1000 CODE START: 1000 ENTRYPOINT: 1000 ARCH: ArchX86 MODE: Mode32 thread 'main' panicked at 'index 11 out of range for slice of length 7', libcore/slice/mod.rs:1965:5 stack backtrace: 0: std::sys::unix::backtrace::tracing::imp::unwind_backtrace at libstd/sys/unix/backtrace/tracing/gcc_s.rs:49 1: std::sys_common::backtrace::print at libstd/sys_common/backtrace.rs:71 at libstd/sys_common/backtrace.rs:59 2: std::panicking::default_hook::{{closure}} at libstd/panicking.rs:211 3: std::panicking::default_hook at libstd/panicking.rs:227 4: std::panicking::rust_panic_with_hook at libstd/panicking.rs:511 5: std::panicking::continue_panic_fmt at libstd/panicking.rs:426 6: rust_begin_unwind at libstd/panicking.rs:337 7: core::panicking::panic_fmt at libcore/panicking.rs:92 8: core::slice::slice_index_len_fail at libcore/slice/mod.rs:1965 9: xori::analysis::data_analyzer::check_if_padding at /checkout/src/libcore/slice/mod.rs:2130 at /checkout/src/libcore/slice/mod.rs:1947 at src/analysis/data_analyzer.rs:33 10: xori::arch::x86::analyzex86::analyze_instructionx86 at src/arch/x86/analyzex86.rs:1247 11: xori::arch::x86::analyzex86::recurse_disasmx86 at src/arch/x86/analyzex86.rs:1387 12: xori::analysis::analyze::disassemble_init at src/analysis/analyze.rs:421 13: xori::analysis::analyze::analyze at src/analysis/analyze.rs:523 14: xori::main at src/main.rs:131 15: std::rt::lang_start::{{closure}} at /checkout/src/libstd/rt.rs:74 16: std::panicking::try::do_call at libstd/rt.rs:59 at libstd/panicking.rs:310 17: __rust_maybe_catch_panic at libpanic_unwind/lib.rs:105 18: std::rt::lang_start_internal at libstd/panicking.rs:289 at libstd/panic.rs:392 at libstd/rt.rs:58 19: main 20: __libc_start_main 21: _start


    Note: ubuntu 16.04 rustc 1.28.0 cargo 1.28.0

    opened by drstrng 4
  • Update api-consumer.jsx

    Update api-consumer.jsx

    While the webUI is accessible via the network hardcoding 'localhost' returns errors when uploading from another machine. Substituting "localhost' with 'window.location.hostname' dynamically changes the POST URL path to adjust and remain functional from other machines on the Network. In my case Xori can now be used on a centralized server that is shared between team members.

    opened by foxns1 4
  • Fix remaining warnings in xori build

    Fix remaining warnings in xori build

    https://github.com/endgameinc/xori/pull/39 fixes the majority of the build warnings in xori. There are a couple outstanding warnings that need further investigation. I see these warnings when building on macos 10.15.3, ubuntu 19.10, and windows server 2019.

       Compiling xori v0.0.1 (/Users/hulk/src/endgameinc/xori)
    warning: use of deprecated item 'std::mem::uninitialized': use `mem::MaybeUninit` instead
       --> src/analysis/formats/pe.rs:523:3
        |
    523 | /   do_parse!(input,
    524 | |         major_linker_version: le_u8 >>
    525 | |         minor_linker_version: le_u8 >>
    526 | |         size_of_code: le_u32 >>
    ...   |
    584 | |         }))
    585 | |   )
        | |___^
        |
        = note: `#[warn(deprecated)]` on by default
        = note: this warning originates in a macro outside of the current crate (in Nightly builds, run with -Z external-macro-backtrace for more info)
    
    warning: use of deprecated item 'std::mem::uninitialized': use `mem::MaybeUninit` instead
       --> src/analysis/formats/pe.rs:589:3
        |
    589 | /   do_parse!(input,
    590 | |         major_linker_version: le_u8 >>
    591 | |         minor_linker_version: le_u8 >>
    592 | |         size_of_code: le_u32 >>
    ...   |
    653 | |             )
    654 | |   )
        | |___^
        |
        = note: this warning originates in a macro outside of the current crate (in Nightly builds, run with -Z external-macro-backtrace for more info)
    
    opened by mikemadden42 3
  • precompute regex for all loaded signatures

    precompute regex for all loaded signatures

    dunno if rebuilding the signature regex each match_bytes was intentional but creating and compiling the regex is a huge amount of runtime, at least using a crosscompiled-to-windows xori.exe as my test file. Since signatures afaict is immutable everywhere other than init and load_flirts, I believe this is a functionally equivalent change, but I don't have any custom pattern files or many other binaries to test on at the moment.

    After this change, diff before after shows no differences in output, but completes in ~2.4 seconds under perf, where it was closer to 10 seconds under perf before.

    Tripped across this while looking into something else that ended up not being an improvement, whoops.

    opened by iximeow 3
  • Bump urijs from 1.19.1 to 1.19.10 in /gui

    Bump urijs from 1.19.1 to 1.19.10 in /gui

    Bumps urijs from 1.19.1 to 1.19.10.

    Release notes

    Sourced from urijs's releases.

    1.19.10 (March 5th 2022)

    1.19.9 (March 3rd 2022)

    1.19.8 (February 15th 2022)

    1.19.7 (July 14th 2021)

    • SECURITY fixing URI.parseQuery() to prevent overwriting __proto__ in parseQuery() - disclosed privately by @​NewEraCracker
    • SECURITY fixing URI.parse() to handle variable amounts of \ and / in scheme delimiter as Node and Browsers do - disclosed privately by ready-research via https://huntr.dev/
    • removed obsolete build tools
    • updated jQuery versions (verifying compatibility with 1.12.4, 2.2.4, 3.6.0)

    1.19.6 (February 13th 2021)

    • SECURITY fixing URI.parse() to rewrite \ in scheme delimiter to / as Node and Browsers do - disclosed privately by Yaniv Nizry from the CxSCA AppSec team at Checkmarx

    1.19.5 (December 30th 2020)

    1.19.4 (December 23rd 2020)

    1.19.3 (December 20th 2020)

    1.19.2 (October 20th 2019)

    Changelog

    Sourced from urijs's changelog.

    Commits
    • 926b2aa chore(build): bumping to version 1.19.10
    • a8166fe fix(parse): handle excessive colons in scheme delimiter
    • 01920b5 chore(build): bumping to version 1.19.9
    • 86d1052 fix(parse): remove leading whitespace
    • efae1e5 chore(build): bumping to version 1.19.8
    • 6ea641c fix(parse): case insensitive scheme - #412
    • 19e54c7 chore(build): bumping to version 1.19.7
    • 547d4b6 build: update jquery
    • aab4a43 build: remove obsolete build tools
    • ac43ca8 fix(parse): more backslash galore #410
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies 
    opened by dependabot[bot] 2
  • Bump urijs from 1.19.1 to 1.19.9 in /gui

    Bump urijs from 1.19.1 to 1.19.9 in /gui

    Bumps urijs from 1.19.1 to 1.19.9.

    Release notes

    Sourced from urijs's releases.

    1.19.9 (March 3rd 2022)

    1.19.8 (February 15th 2022)

    1.19.7 (July 14th 2021)

    • SECURITY fixing URI.parseQuery() to prevent overwriting __proto__ in parseQuery() - disclosed privately by @​NewEraCracker
    • SECURITY fixing URI.parse() to handle variable amounts of \ and / in scheme delimiter as Node and Browsers do - disclosed privately by ready-research via https://huntr.dev/
    • removed obsolete build tools
    • updated jQuery versions (verifying compatibility with 1.12.4, 2.2.4, 3.6.0)

    1.19.6 (February 13th 2021)

    • SECURITY fixing URI.parse() to rewrite \ in scheme delimiter to / as Node and Browsers do - disclosed privately by Yaniv Nizry from the CxSCA AppSec team at Checkmarx

    1.19.5 (December 30th 2020)

    1.19.4 (December 23rd 2020)

    1.19.3 (December 20th 2020)

    1.19.2 (October 20th 2019)

    Changelog

    Sourced from urijs's changelog.

    1.19.9 (March 3rd 2022)

    1.19.8 (February 15th 2022)

    1.19.7 (July 14th 2021)

    • SECURITY fixing URI.parseQuery() to prevent overwriting __proto__ in parseQuery() - disclosed privately by @​NewEraCracker
    • SECURITY fixing URI.parse() to handle variable amounts of \ and / in scheme delimiter as Node and Browsers do - disclosed privately by ready-research via https://huntr.dev/
    • removed obsolete build tools
    • updated jQuery versions (verifying compatibility with 1.12.4, 2.2.4, 3.6.0)

    1.19.6 (February 13th 2021)

    • SECURITY fixing URI.parse() to rewrite \ in scheme delimiter to / as Node and Browsers do - disclosed privately by Yaniv Nizry from the CxSCA AppSec team at Checkmarx

    1.19.5 (December 30th 2020)

    1.19.4 (December 23rd 2020)

    1.19.3 (December 20th 2020)

    1.19.2 (October 20th 2019)

    Commits
    • 01920b5 chore(build): bumping to version 1.19.9
    • 86d1052 fix(parse): remove leading whitespace
    • efae1e5 chore(build): bumping to version 1.19.8
    • 6ea641c fix(parse): case insensitive scheme - #412
    • 19e54c7 chore(build): bumping to version 1.19.7
    • 547d4b6 build: update jquery
    • aab4a43 build: remove obsolete build tools
    • ac43ca8 fix(parse): more backslash galore #410
    • 622db6d docs: add security policy
    • 8e51b00 fix(parse): prevent overwriting proto in parseQuery()
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies 
    opened by dependabot[bot] 2
  • Bump urijs from 1.19.1 to 1.19.8 in /gui

    Bump urijs from 1.19.1 to 1.19.8 in /gui

    Bumps urijs from 1.19.1 to 1.19.8.

    Release notes

    Sourced from urijs's releases.

    1.19.8 (February 15th 2022)

    1.19.7 (July 14th 2021)

    • SECURITY fixing URI.parseQuery() to prevent overwriting __proto__ in parseQuery() - disclosed privately by @​NewEraCracker
    • SECURITY fixing URI.parse() to handle variable amounts of \ and / in scheme delimiter as Node and Browsers do - disclosed privately by ready-research via https://huntr.dev/
    • removed obsolete build tools
    • updated jQuery versions (verifying compatibility with 1.12.4, 2.2.4, 3.6.0)

    1.19.6 (February 13th 2021)

    • SECURITY fixing URI.parse() to rewrite \ in scheme delimiter to / as Node and Browsers do - disclosed privately by Yaniv Nizry from the CxSCA AppSec team at Checkmarx

    1.19.5 (December 30th 2020)

    1.19.4 (December 23rd 2020)

    1.19.3 (December 20th 2020)

    1.19.2 (October 20th 2019)

    Changelog

    Sourced from urijs's changelog.

    1.19.8 (February 15th 2022)

    1.19.7 (July 14th 2021)

    • SECURITY fixing URI.parseQuery() to prevent overwriting __proto__ in parseQuery() - disclosed privately by @​NewEraCracker
    • SECURITY fixing URI.parse() to handle variable amounts of \ and / in scheme delimiter as Node and Browsers do - disclosed privately by ready-research via https://huntr.dev/
    • removed obsolete build tools
    • updated jQuery versions (verifying compatibility with 1.12.4, 2.2.4, 3.6.0)

    1.19.6 (February 13th 2021)

    • SECURITY fixing URI.parse() to rewrite \ in scheme delimiter to / as Node and Browsers do - disclosed privately by Yaniv Nizry from the CxSCA AppSec team at Checkmarx

    1.19.5 (December 30th 2020)

    1.19.4 (December 23rd 2020)

    1.19.3 (December 20th 2020)

    1.19.2 (October 20th 2019)

    Commits
    • efae1e5 chore(build): bumping to version 1.19.8
    • 6ea641c fix(parse): case insensitive scheme - #412
    • 19e54c7 chore(build): bumping to version 1.19.7
    • 547d4b6 build: update jquery
    • aab4a43 build: remove obsolete build tools
    • ac43ca8 fix(parse): more backslash galore #410
    • 622db6d docs: add security policy
    • 8e51b00 fix(parse): prevent overwriting proto in parseQuery()
    • 46c8ac0 chore(build): bumping to version 1.19.6
    • a1ad8bc fix(parse): treat backslash as forwardslash in scheme delimiter
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies 
    opened by dependabot[bot] 2
  • Bump follow-redirects from 1.4.1 to 1.14.7 in /gui

    Bump follow-redirects from 1.4.1 to 1.14.7 in /gui

    Bumps follow-redirects from 1.4.1 to 1.14.7.

    Commits
    • 2ede36d Release version 1.14.7 of the npm package.
    • 8b347cb Drop Cookie header across domains.
    • 6f5029a Release version 1.14.6 of the npm package.
    • af706be Ignore null headers.
    • d01ab7a Release version 1.14.5 of the npm package.
    • 40052ea Make compatible with Node 17.
    • 86f7572 Fix: clear internal timer on request abort to avoid leakage
    • 2e1eaf0 Keep Authorization header on subdomain redirects.
    • 2ad9e82 Carry over Host header on relative redirects (#172)
    • 77e2a58 Release version 1.14.4 of the npm package.
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies 
    opened by dependabot[bot] 2
  • Bump tar from 4.4.1 to 4.4.15 in /gui

    Bump tar from 4.4.1 to 4.4.15 in /gui

    Bumps tar from 4.4.1 to 4.4.15.

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies 
    opened by dependabot[bot] 2
  • Bump express from 4.16.3 to 4.17.3 in /gui

    Bump express from 4.16.3 to 4.17.3 in /gui

    Bumps express from 4.16.3 to 4.17.3.

    Release notes

    Sourced from express's releases.

    4.17.3

    4.17.2

    4.17.1

    • Revert "Improve error message for null/undefined to res.status"

    4.17.0

    • Add express.raw to parse bodies into Buffer
    • Add express.text to parse bodies into string

    ... (truncated)

    Changelog

    Sourced from express's changelog.

    4.17.3 / 2022-02-16

    4.17.2 / 2021-12-16

    4.17.1 / 2019-05-25

    ... (truncated)

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies 
    opened by dependabot[bot] 1
  • Bump decode-uri-component from 0.2.0 to 0.2.2 in /gui

    Bump decode-uri-component from 0.2.0 to 0.2.2 in /gui

    Bumps decode-uri-component from 0.2.0 to 0.2.2.

    Release notes

    Sourced from decode-uri-component's releases.

    v0.2.2

    • Prevent overwriting previously decoded tokens 980e0bf

    https://github.com/SamVerschueren/decode-uri-component/compare/v0.2.1...v0.2.2

    v0.2.1

    • Switch to GitHub workflows 76abc93
    • Fix issue where decode throws - fixes #6 746ca5d
    • Update license (#1) 486d7e2
    • Tidelift tasks a650457
    • Meta tweaks 66e1c28

    https://github.com/SamVerschueren/decode-uri-component/compare/v0.2.0...v0.2.1

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies 
    opened by dependabot[bot] 1
  • Bump css-what from 2.1.0 to 2.1.3 in /gui

    Bump css-what from 2.1.0 to 2.1.3 in /gui

    Bumps css-what from 2.1.0 to 2.1.3.

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies 
    opened by dependabot[bot] 1
  • Bump urijs from 1.19.1 to 1.19.11 in /gui

    Bump urijs from 1.19.1 to 1.19.11 in /gui

    Bumps urijs from 1.19.1 to 1.19.11.

    Release notes

    Sourced from urijs's releases.

    1.19.11 (April 3rd 2022)

    1.19.10 (March 5th 2022)

    1.19.9 (March 3rd 2022)

    1.19.8 (February 15th 2022)

    1.19.7 (July 14th 2021)

    • SECURITY fixing URI.parseQuery() to prevent overwriting __proto__ in parseQuery() - disclosed privately by @​NewEraCracker
    • SECURITY fixing URI.parse() to handle variable amounts of \ and / in scheme delimiter as Node and Browsers do - disclosed privately by ready-research via https://huntr.dev/
    • removed obsolete build tools
    • updated jQuery versions (verifying compatibility with 1.12.4, 2.2.4, 3.6.0)

    1.19.6 (February 13th 2021)

    • SECURITY fixing URI.parse() to rewrite \ in scheme delimiter to / as Node and Browsers do - disclosed privately by Yaniv Nizry from the CxSCA AppSec team at Checkmarx

    1.19.5 (December 30th 2020)

    1.19.4 (December 23rd 2020)

    1.19.3 (December 20th 2020)

    1.19.2 (October 20th 2019)

    Changelog

    Sourced from urijs's changelog.

    Commits
    • b655c1b chore(build): bumping to version 1.19.11
    • b0c9796 fix(parse): handle CR,LF,TAB
    • 88805fd fix(parse): handle excessive slashes in scheme-relative URLs
    • 926b2aa chore(build): bumping to version 1.19.10
    • a8166fe fix(parse): handle excessive colons in scheme delimiter
    • 01920b5 chore(build): bumping to version 1.19.9
    • 86d1052 fix(parse): remove leading whitespace
    • efae1e5 chore(build): bumping to version 1.19.8
    • 6ea641c fix(parse): case insensitive scheme - #412
    • 19e54c7 chore(build): bumping to version 1.19.7
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies 
    opened by dependabot[bot] 1
  • Bump follow-redirects from 1.4.1 to 1.14.8 in /gui

    Bump follow-redirects from 1.4.1 to 1.14.8 in /gui

    Bumps follow-redirects from 1.4.1 to 1.14.8.

    Commits
    • 3d81dc3 Release version 1.14.8 of the npm package.
    • 62e546a Drop confidential headers across schemes.
    • 2ede36d Release version 1.14.7 of the npm package.
    • 8b347cb Drop Cookie header across domains.
    • 6f5029a Release version 1.14.6 of the npm package.
    • af706be Ignore null headers.
    • d01ab7a Release version 1.14.5 of the npm package.
    • 40052ea Make compatible with Node 17.
    • 86f7572 Fix: clear internal timer on request abort to avoid leakage
    • 2e1eaf0 Keep Authorization header on subdomain redirects.
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies 
    opened by dependabot[bot] 1
  • Bump chownr from 1.0.1 to 1.1.4 in /gui

    Bump chownr from 1.0.1 to 1.1.4 in /gui

    Bumps chownr from 1.0.1 to 1.1.4.

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies 
    opened by dependabot[bot] 0
Owner
ENDGAME
ENDGAME
Binary Analysis Framework in Rust

Welcome to Falcon Falcon is a formal binary analysis framework in Rust. Expression-based IL with strong influences from RREIL and Binary Ninja's LLIL.

Falcon Binary Analysis Framework 489 Dec 18, 2022
radare2-based decompiler and symbol executor

Radeco A radare2 based binary analysis framework consisting from the Radeco client, in ./radeco/ directory, ./radeco-lib/ - library where whole high-l

radare org 349 Dec 28, 2022
☢ Guerrilla (or Monkey) Patching in Rust for (unsafe) fun and profit.

Guerrilla Guerrilla (or Monkey) Patching in Rust for (unsafe) fun and profit. Provides aribtrary monkey patching in Rust. Please do not use this crate

Ryan Leckey 97 Dec 16, 2022
Xori is an automation-ready disassembly and static analysis library for PE32, 32+ and shellcode

Xori - Custom disassembly framework Xori is an automation-ready disassembly and static analysis library that consumes shellcode or PE binaries and pro

ENDGAME 712 Nov 28, 2022
Easy c̵̰͠r̵̛̠ö̴̪s̶̩̒s̵̭̀-t̶̲͝h̶̯̚r̵̺͐e̷̖̽ḁ̴̍d̶̖̔ ȓ̵͙ė̶͎ḟ̴͙e̸̖͛r̶̖͗ë̶̱́ṉ̵̒ĉ̷̥e̷͚̍ s̷̹͌h̷̲̉a̵̭͋r̷̫̊ḭ̵̊n̷̬͂g̵̦̃ f̶̻̊ơ̵̜ṟ̸̈́ R̵̞̋ù̵̺s̷̖̅ţ̸͗!̸̼͋

Rust S̵̓i̸̓n̵̉ I̴n̴f̶e̸r̵n̷a̴l mutability! Howdy, friendly Rust developer! Ever had a value get m̵̯̅ð̶͊v̴̮̾ê̴̼͘d away right under your nose just when

null 294 Dec 23, 2022
Static Web Server - a very small and fast production-ready web server suitable to serve static web files or assets

Static Web Server (or SWS abbreviated) is a very small and fast production-ready web server suitable to serve static web files or assets.

Jose Quintana 496 Jan 2, 2023
Nodium is an easy-to-use data analysis and automation platform built using Rust, designed to be versatile and modular.

Nodium is an easy-to-use data analysis and automation platform built using Rust, designed to be versatile and modular. Nodium aims to provide a user-friendly visual node-based interface for various tasks.

roggen 19 May 2, 2023
A minimal and fast zero-copy parser for the PE32+ file format.

peview A minimal and fast zero-copy parser for the PE32+ file format. Goal This project aims to offer a more light weight and easier to use alternativ

null 5 Dec 20, 2022
A library and binary for testing unhooking ntdll by identifying hooks via in-memory disassembly

(First Public?) Sample of unhooking ntdll (All Exports & IAT imports) hooks in Rust using in-memory disassembly, avoiding direct syscalls and all hooked functions (incl. hooked NtProtectVirtualMemory)

Signal Labs 52 Apr 9, 2023
Extensions for x64dbg written in Rust: Telescope and Unicorn powered disassembly

This is the library that extends x64dbg with new features: Telescope. It's basically recursive dereferencerer of memory view which looks at the pointe

null 18 Sep 11, 2022
Retina is a network analysis framework that supports 100+ Gbps traffic analysis on a single server with no specialized hardware.

Retina Retina is a network analysis framework that enables operators and researchers to ask complex questions about high-speed (>100gbE) network links

Stanford Security Research 73 Jun 21, 2023
⚙️ A curated list of static analysis (SAST) tools for all programming languages, config files, build tools, and more.

This repository lists static analysis tools for all programming languages, build tools, config files and more. The official website, analysis-tools.de

Analysis Tools 10.7k Jan 2, 2023
Whole program static stack analysis

cargo-call-stack Static, whole program stack analysis Other examples: Embedded CoAP / IPv4 server (source) "Hello, world!" HEADS UP: This tool relies

Jorge Aparicio 457 Dec 22, 2022
Whole program static stack analysis

cargo-call-stack Static, whole program stack analysis Other examples: Embedded CoAP / IPv4 server (source) "Hello, world!" HEADS UP: This tool relies

Jorge Aparicio 457 Dec 22, 2022
Shellcheck - a static analysis tool for shell scripts

ShellCheck - A shell script static analysis tool ShellCheck is a GPLv3 tool that gives warnings and suggestions for bash/sh shell scripts: The goals o

Vidar Holen 31.1k Jan 9, 2023
Rust-based static analysis for TypeScript projects

Fast TypeScript Analyzer FTA (Fast TypeScript Analyzer) is a super-fast TypeScript static analysis tool written in Rust. It captures static informatio

Sam Brown 4 May 23, 2023
Docker images for compiling static Rust binaries using musl-libc and musl-gcc, with static versions of useful C libraries. Supports openssl and diesel crates.

rust-musl-builder: Docker container for easily building static Rust binaries Source on GitHub Changelog UPDATED: Major updates in this release which m

Eric Kidd 1.3k Jan 1, 2023
Shellcode Runner/Injector in Rust using NTDLL functions directly with the ntapi Library

RustSCRunner Shellcode Runner/Injector in Rust using NTDLL functions directly with the ntapi Library. Surprisingly this is my first ever Rust project

null 86 Dec 18, 2021
A new shellcode injection technique. Given as C++ header, standalone Rust program or library.

FunctionStomping Description This is a brand-new technique for shellcode injection to evade AVs and EDRs. This technique is inspired by Module Stompin

Ido Veltzman 608 Jan 4, 2023
Hot reload static web server for deploying mutiple static web site with version control.

SPA-SERVER It is to provide a static web http server with cache and hot reload. 中文 README Feature Built with Hyper and Warp, fast and small! SSL with

null 7 Dec 18, 2022