Inroduction
PyREBox – Python Scriptable Reverse Engineering Sandbox is an open-source tool based on QEMU, with environment for malware monitoring and reverse engineering. It’s equipped with additional tools for:
- system/application debugging
- memory contents inspecting
- system/application dynamic analysis
PyREBox creates an emulated environment for the entire system which allows monitoring without requiring the installation of specific drivers or agents. It works directly at the emulator level and the provided VMI (Virtual Machine Introspection) API, based on Volatility. PyREBox can change parts of the running system by changing data in memory or within processor registers. Available environments for creation: i386 and x86_64 (ARM, MIPS, and other architectures is on the roadmap, but not yet supported).
Install/Build PyREBox
There is no support for PyREBox (Python Scriptable Reverse Engineering Sandbox) package installation yet, but they provide build script and Dockerfile. To install dependencies, run:
- Debian based distributions:
apt-get install build-essential zlib1g-dev pkg-config libglib2.0-dev binutils-dev libboost-all-dev autoconf libtool libssl-dev libpixman-1-dev libpython-dev python-pip virtualenv python-capstone
- Required python packages:
ipython>=5,<6 sphinx sphinx-autobuild prettytable pefile capstone distorm3 pycrypto pytz
First, create the virtual env:
virtualenv pyrebox_venv
Then, activate it (activation will allow you to install python dependencies):
# source pyrebox_venv/bin/activate
Install the python dependencies using pip :
# pip install -r requirements.txt
Don’t forget to activate your virtual env every time you want to start PyREBox!
# source pyrebox_venv/bin/activate
Project configuration and building:
# ./build.sh
To start VM withing PyREBox, you need to run it exactly as you were booting up a QEMU VM. QEMU monitor option – -monitor stdio .
PyREBox Shell
To start PyREBox shell just type sh command on QEMU’s monitor and it will start an IPython shell, immediately. Available features in IPython:
- auto-completion
- command history
- multi-line editing
- automated command help generation
To see a full list of commands type the following:
%list_commands %list_vol_commands
%list_commands – provides a list of PyREBox commands.
%list_vol_commands – lists all the available volatility commands:
Other Shell operation commands:
vol comm– enter a Volatility commandcustom comm– enter a custom commandproc– specify working context to a given processmon– monitor a processunmon– stop monitoring a processset_cpu– set the CPU number to operate onq Exit– PyREBox shell and continue execution.c Exit– -||-continue– exit PyREBox shell and continue execution.quit– -||-ctrl-d– -||-help(*api*)– obtain help for an API function or constanthelp(*comm*)– help for a PyREBox command*api*?– obtain help for an API function*comm*?– help for a PyREBox command
Scripting
PyREBox allows us to dynamically load scripts that can register callback functions. If any of the following events occur, these functions will be called:
- Instruction and/or basic block execution
- Network interface and keyboard events
- Process creation/termination
- Memory read/write
- Context switch
- TLB miss
- etc.
PyREBox is integrated with Volatility, so it will let you take advantage of all volatility plugins for memory forensics in your python scripts. It is also possible to create triggers (Triggers are C/C++ compiled shared objects that are associated to a given callback).
Triggers can access variables associated to the callback (trigger variables), which can be set in the python script once the trigger has been loaded. You can find several examples of triggers here.
