v0.2.2

Latest

Latest

rushter released this 27 Dec 09:46

· 5 commits to main since this release

6b33ae9

Added SuspiciousWrite rule
Added OSFingerprint rule
Improved exfiltration detection of sensitive data (os.environ)
Added benchmark command
Added dump-package command
Improve tracking of data flow for lists, functions, dicts and so on. This enhances obfuscation detection.
Decode base64 strings.
Significantly Improved exec/eval detection.

Some examples of what kind of code can be deobfuscated and detected now:

def doit(m, f1, f2):
    import importlib

    module = importlib.import_module(m)
    function_name = f1 + f2
    function = getattr(module, function_name)
    return function


username = doit("os", "getl", "ogin")()

[os.system][0]("ls")
dispatch = {"run": os.system}
dispatch["run"]("ls")

os.__getattribute__("system")("ls")

list(map(os.system, ["ls"]))

      _ = lambda __: __import__("zlib").decompress(
          __import__("base64").b64decode(__[::-1])
      )
      exec((_)(b"payload"))
      install.run(self)

Assets 2