PyREBox offers a complete set of commands to inspect and modify the state of the running VM. Just type list_commands
to obtain a complete list. You can run any volatility plugin just by typing vol
and the corresponding volatility command. For a complete list of available volatility plugins, you can type list_vol_commands
. This list is generated automatically, so it will also show any volatility plugin you install on PyREBox’s volatility/
path.
You can also define your own commands! It is as simple as declaring a function in a script, and loading it.
If you need something more expressive than a command, you can write a Python snippet leveraging the API. For a detailed description of the API, see Documentation
_ or type help(api)
in the shell.
PyREBox allows to dynamically load scripts that can register callback functions that are called when certain events occur, like instructions executed, memory read/written, processes created/destroyed, and so on.
Given that PyREBox is integrated with Volatility, it will let you take advantage of all the volatility plugins for memory forensics in your python scripts. Many of the most famous reverse engineering tools are implemented in Python or at least have Python bindings. Our approach allows to integrate any of these tools into a script.
Finally, given that python callbacks can introduce a performance penalty on frequent events such as instructions executed, it is also possible to create triggers. Triggers are native-code plug-in’s (developed in C/C++) that can be inserted dynamically at run-time on any event just before the Python callback is executed. This allows to limit the number of events that hit the python code, as well as to precompute values in native code.
In this repository you will find example scripts that can help you to write your owncode . Contributions are welcome!
First of all, PyREBox would not be possible without QEMU and Volatility. We thank to their developers and maintainers for such a great work.
PyREBox is inspired by several academic projects, such as DECAF, or PANDA_. In fact, many of the callbacks supported by PyREBox are equivalent to those found in DECAF, and the concepts behind the instrumentation are based on these works.
PyREBox benefits from third-party code, which can be found under the directory pyrebox/third_party. For each third-party project, we include an indication of its original license, the original source code files taken from the project, as well as the modified versions of the source code files (if applicable), used by PyREBox.