Viper – Binary Management and analysis Framework

Viper

I will maintain this page for reference but if you are looking for an updated instillation guide for Viper see this page.

When it comes to analysing malware it can be a fairly complex affair. Depending on the complexity of the malware your analysing there are many approaches you can take and each of these will typically require the use of several tools or scripts. This is where http://viper.li comes in to play.

Created by Claudio ‘nex’ Guarnieri, viper is “A binary management and analysis framework dedicated to malware and exploit researchers.” It comes with some basic features that allow you to add search and work with samples. Where it comes into strength is through the community contributed modules. These modules greatly extend vipers functionality.

At the time of writing the current list of modules are as follows.

Commands

  • clear – Clear the console
  • close – Close the current session
  • delete – Delete the opened file
  • export – Export the current session to file or zip
  • find – Find a file
  • help – Show this help message
  • info – Show information on the opened file
  • notes – View, add and edit notes on the opened file
  • open – Open a file
  • projects – List or switch existing projects
  • sessions – List or switch sessions
  • store – Store the opened file to the local repository
  • tags – Modify tags of the opened file

Modules:

  • apk – Parse Android Applications
  • cuckoo – Submit the file to Cuckoo Sandbox
  • debup – Parse McAfee BUP Files
  • editdistance – Edit distance on the filenames
  • email – Parse eml and msg email files
  • exif – Extract Exif MetaData
  • fuzzy – Search for similar files through fuzzy hashing
  • html – Parse html files and extract content
  • ida – Start IDA Pro
  • idx – Parse Java idx files
  • image – Perform analysis on images
  • jar – Parse Java JAR archives
  • office – Office Document Parser
  • pdf – Extract PDF Stream Information
  • pe – Extract information from PE32 headers
  • reports – Online Sandboxes Reports
  • shellcode – Search for known shellcode patterns
  • strings – Extract strings from file
  • virustotal – Lookup the file on VirusTotal
  • xor – Search for xor Strings
  • yara – Run Yara scan

 Installation

For this installation I’m going to use a Turnkey Ubuntu Server VM Instance which can be found here http://www.turnkeylinux.org/core . I wont bother you with setting up the turnkey VM it should be easy enough to follow the steps.

The setup and installation process for viper is not overly complicated but there are several 3rd party components that we will need in order to enable all the features of Viper.

Pre Install

Lets make sure our ubuntu is up to date and then grab some additional components we are going to need.

root@core ~# apt-get update && apt-get upgrade
root@core ~# apt-get install build-essential python-dev python-pip git automake libtool libimage-exiftool-perl

3rd Party Sources

There are some third-party sources that we need in order to make use of all the available features in viper. For this we need to download and build from a few sources.

I like to store all the temporary build files in one places so I don’t end up with bits and pieces all over the place

root@core ~# mkdir tmp_build

from here ill download all the files im going to need. (Please check for the latest versions if your following this guide literally)

Yara – The pattern matching swiss knife for malware researchers (and everyone else)

https://github.com/plusvic/yara/archive/v3.0.0.tar.gz – Must be 2x or greater

root@core ~/tmp_build# tar zxf v3.0.0.tar.gz
root@core ~/tmp_build# cd yara-3.0.0/
root@core tmp_build/yara-3.0.0#bash build.sh
root@core tmp_build/yara-3.0.0# make install

Test to make sure Yara Runs

root@core tmp_build/yara-3.0.0# yara
usage: yara [OPTION]... RULES_FILE FILE | PID
options:
 -t  only print rules tagged as .
 -i  only print rules named .
 -n only print not satisfied rules (negate).
 -g print tags. . . .

Now lets do the python bindings.

root@core tmp_build/yara-3.0.0# cd yara-python/
root@core yara-3.0.0/yara-python# python setup.py install

and return to the root of our build dir ready for the next one.

root@core yara-3.0.0/yara-python# cd ~/tmp_build/

SSDeep – Computing context triggered piecewise hashes. Also called Fuzzy Hashes.

http://ssdeep.sourceforge.net/#download

grab the latest version and away we go. Tested with version 2.10

root@core ~/tmp_build# tar zxf ssdeep-2.10.tar.gz
root@core ~/tmp_build# cd ssdeep-2.10/
root@core tmp_build/ssdeep-2.10# ./configure && make
root@core tmp_build/ssdeep-2.10# make install

Lets install the python bindings to go with it

root@core tmp_build/ssdeep-2.10# pip install pydeep

test it works and return to our tmp_build directory

root@core tmp_build/ssdeep-2.10# ssdeep -h
root@core tmp_build/ssdeep-2.10# cd ~/tmp_build/

AndroGuard – Reverse engineering, Malware and goodware analysis of Android applications … and more (ninja !)

If you want to use viper to analyze android APKS and decompile Java class files we need to install androguard. I leave it up to you to decide  if you want to include all the androguard dependencies. A basic install of the 1.9 release works fine.

root@core ~/tmp_build# tar zxf androguard-1.9.tar.gz
root@core ~/tmp_build# cd androguard-1.9/
root@core tmp_build/androguard-1.9# python setup.py install

Viper and Python Dependencies

Viper itself has a few extra python dependencies and then each of the modules may have their own as well. For the most part module authors will include them in the requirements.txt file that comes with viper.

cd in to the directory you want to run viper from, and run the following:

root@core ~# git clone https://github.com/botherder/viper
root@core ~# cd viper
root@core ~/viper# pip install -r requirements.txt

If everything worked we should now be able to run the viper shell.

root@core ~/viper# ./viper.py

Ill cover using viper in more detail in some upcoming posts. For now here is a quick example from the main site.

Documentation and Help

The viper Documentation is still being generated but you can find it on http://viper.li If you have any questions or even better if you have something you can contribute head over to the Git Repo or jump on to irc.freenode.net ###viper

 

As usual Questions Queries Comments below.