PyREBox – Python Scriptable Reverse Engineering Sandbox

Last Commit: 06/27/2019

PyREBox – Python Scriptable Reverse Engineering Sandbox

Inroduction

PyREBox – Python Scriptable Reverse Engineering Sandbox is an open-source tool based on QEMU, with environment for malware monitoring and reverse engineering. It’s equipped with additional tools for:

  • system/application debugging
  • memory contents inspecting
  • system/application dynamic analysis

PyREBox creates an emulated environment for the entire system which allows monitoring without requiring the installation of specific drivers or agents. It works directly at the emulator level and the provided VMI (Virtual Machine Introspection) API, based on Volatility. PyREBox can change parts of the running system by changing data in memory or within processor registers. Available environments for creation: i386 and x86_64 (ARM, MIPS, and other architectures is on the roadmap, but not yet supported).

Note: This program is provided “AS IS”, and no support is guaranteed. If you find some bugs, report them here.

Install/Build PyREBox

There is no support for PyREBox (Python Scriptable Reverse Engineering Sandbox) package installation yet, but they provide build script and Dockerfile. To install dependencies, run:

  • Debian based distributions:
apt-get install build-essential zlib1g-dev pkg-config libglib2.0-dev binutils-dev libboost-all-dev autoconf libtool libssl-dev libpixman-1-dev libpython-dev python-pip virtualenv python-capstone
  • Required python packages:
ipython>=5,<6 sphinx sphinx-autobuild prettytable pefile capstone distorm3 pycrypto pytz
Recommendation: To prevent volatility package interfere used by PyREBox, use a virtual env to install your python dependencies.

First, create the virtual env:
virtualenv pyrebox_venv

Then, activate it (activation will allow you to install python dependencies):

# source pyrebox_venv/bin/activate

Install the python dependencies using pip :

# pip install -r requirements.txt

Don’t forget to activate your virtual env every time you want to start PyREBox!

# source pyrebox_venv/bin/activate 

Project configuration and building:

# ./build.sh

To start  VM withing PyREBox, you need to run it exactly as you were booting up a QEMU VM. QEMU monitor option – -monitor stdio .

PyREBox Shell

To start PyREBox shell just type sh command on QEMU’s monitor and it will start an IPython shell, immediately. Available features in IPython:

  • auto-completion
  • command history
  • multi-line editing
  • automated command help generation
PyREBox will allow you to debug the system (or a process) in a fairly stealthy way. Unlike traditional debuggers which stay in the system being debugged (even modifying the memory of the debugged process to insert breakpoints), PyREBox stays completely outside the inspected system, and it does not require the installation of any driver or component into the guest. (docu)

To see a full list of commands type the following:

%list_commands
%list_vol_commands

%list_commands – provides a list of PyREBox commands.

%list_vol_commands –  lists all the available volatility commands:

Python Scriptable Reverse Engineering Sandbox list_commands

Other Shell operation commands:

  • vol comm – enter a Volatility command
  • custom comm – enter a custom command
  • proc – specify working context to a given process
  • mon – monitor a process
  • unmon – stop monitoring a process
  • set_cpu – set the CPU number to operate on
  • q Exit – PyREBox shell and continue execution.
  • c Exit – -||-
  • continue – exit PyREBox shell and continue execution.
  • quit – -||-
  • ctrl-d – -||-
  • help(*api*) – obtain help for an API function or constant
  • help(*comm*) – help for a PyREBox command
  • *api*? – obtain help for an API function
  • *comm*? – help for a PyREBox command

Scripting

PyREBox allows us to dynamically load scripts that can register callback functions. If any of the following events occur, these functions will be called:

  • Instruction and/or basic block execution
  • Network interface and keyboard events
  • Process creation/termination
  • Memory read/write
  • Context switch
  • TLB miss
  • etc.

PyREBox is integrated with Volatility, so it will let you take advantage of all volatility plugins for memory forensics in your python scripts. It is also possible to create triggers (Triggers are C/C++ compiled shared objects that are associated to a given callback).

Triggers can access variables associated to the callback (trigger variables), which can be set in the python script once the trigger has been loaded. You can find several examples of triggers here.