Chrysalide
A new Reverse Engineering framework to analyze the deepest levels of binaries
-
Know your binary!
Chrysalide provides information about every single byte to help you with your analysis. -
To the best and beyond!
Some basic features are already implemented. However Chrysalide is still in dev and gets improved every day. -
GUIs are cool
But when scaling matters, Python bindings are required to automate analysis.
Collaborative
Team work is integrated in the heart of the software; it is up to the user to choose how he shares his work.
Specialized
Embedded systems are the target domains; the first developments therefore focus on ARM, Dalvik, ELF and Java.
Expandable
Two APIs (C and Python) are available for building extensions to meet specific needs.
Interfaces
Chrysalide is the right tool for the purists of command line as well as the GUI fans.
Innovation
Reverse engineering is a complex activity that requires a great amount of intelligence and research.
Ecosystem
Functionally, Chrysalide is based on Free Software and integrates as much as possible into existing environments.
Introducing an alternative to YARA: ROST
Posted on October 13, 2023 at 4:36
The development of Chrysalide remains active, and its analysis process has been lately focused on binary scanning.
On this matter, the YARA tool from VirusTotal is commonly adopted, but the program evolves quite slowly and any module addition requires recompiling the whole project. So ROST gets created with these key principles in mind:
- allowing to define new functions and namespaces as keywords for the match conditions;
- offering extension capabilities through native modules or Python scripts;
- making easier to process scan results, with an optional JSON output;
- supporting a lot of formats, relying on definitions from Kaitai Struct for the parsing process.
The ROST's grammar is similar to the YARA`s one, with some minor incompatibilities. A provided tool, yara2rost, may help to translate on the fly existing YARA rules without effort.
Here is a mandatory Hello World example to show ROST in action:
$ echo "Hello world!" | iconv -f ascii -t utf-16le > hello.bin
$ cat hello.rost
rule HelloWorld {
bytes:
$w = "world" wide
condition:
$w
}
$ rost -j hello.rost hello.bin | jq '.[] | [ .matched, .bytes_patterns[0].matches[0].offset ]'
[
true,
12
]
Regular output is also available:
$ rost -s hello.rost hello.bin HelloWorld hello.bin 0xc:$w: w\x00o\x00r\x00l\x00d\x00
Even if some important features are still missing (such as support for loops or regular expressions), ROST is currenly usable and this blog post highlights a few new capabilities through real world cases.
For more information, the documentation provides all the details of the implementation current state.
For the record, this article is based on commit ab6b87b7, so you can give this version of ROST a try by installing one of the available packages or by running:
git clone http://git.0xdeadc0de.fr/chrysalide.git cd chrysalide git checkout ab6b87b7
One year later three directions for Chrysalide
Posted on April 30, 2018 at 16:18
More than one year has passed since the last blog post.
No news, good news.
A lot of improvements have been committed, as the statistics show:
git diff --stat 3d2576f..HEAD | tail -1 1818 files changed, 62736 insertions(+), 68424 deletions(-)
A small Python script has also been created to plot the development activity for 2018:
The number of past and incoming evolutions is quite huge, so here is a quick summary of three major changes.
The following article is based on commit ce43a13d, so you can give this version of Chrysalide a try by running:
git clone http://git.0xdeadc0de.fr/chrysalide.git cd chrysalide git checkout ce43a13d
As usual, the next step is to follow the installation procedure.