Xori – Custom disassembly framework
Xori is an automation-ready disassembly and static analysis library that consumes shellcode or PE binaries and provides triage analysis data.
Architectures:
- i386
- x86-64
File Formats
- PE, PE+
- Plain shellcode
Current Features
- Outputs json of the 1) Disassembly, 2) Functions, and 3) Imports.
- Manages Image and Stack memory.
- 2 modes:
- Light Emulation – meant to enumerate all paths (Registers, Stack, Some Instructions).
- Full Emulation – only follows the code’s path (Slow performance).
- Simulated TEB & PEB structures.
- Evaluates functions based on DLL exports.
- Displays strings based on referenced memory locations.
- Uses FLIRT style signatures (Fast Library Identification and Recognition Technology).
- Allows you to use your own exports for simulating the PEB.
- Will detect padding after a non-returning call.
- Will try to identify function references from offsets.
What it doesn’t do yet:
- The engine is interactive.
- Does not dump strings.
- Does not process non-executable sections.
- TEB and PEB are not enabled for non-pe files.
- Only some x86 instructions are emulated, not all.
- Patching and assembling.
- No plugins or scripting.
Download && Tutorial
Author:
- Amanda Rousseau @malwareunicorn
- Rich Seymour @rseymour
- Lucien Brule @_LucienBrule
Source: https://github.com/endgameinc/
