Tales of Python: Disassemblers & Scripting
In Reverse Engineering, one should expect to read assembly or any low level code related to that platform. Especially if you are dealing with malware or shellcode. You extract shellcode from captured packets (or log?) and try to figure out what it does. Sure you can create a wrapper code and debug it.
As a lazy person, I just want to disassemble the shellcode and avoid doing something unnecessary. There should be a better way to do it. Scripting! Let Python do the magic.
So I tried some disassemblers which are developed or have binding in Python. The goal is to do scripting, so I set some criteria:
- Library should run on Python 3 (Python 2 is dead, so move on)
- Can disassemble at least x86 / x64. More architecture support = better.
- Work on shellcode or portion of binary, not only full executable.
With that in mind, I evaluate available disassemblers for Python. Some are successful, some are not. By success, it mean I can evaluate them properly. I can install it on Python 3 and run the script without any problem.
Successful attempt:
- amoco
- capstone
- distorm3
- miasm
Failed attempt:
- BeaEnginePython
- pydasm
- zydis
To clarify, I only test x86 disassembly capability. I also write only libraries I have successfully evaluate. Tell me if you have alternative libraries or when the failed libraries became usable in Python 3.
Amoco
“Yet another tool for analyzing binaries”
Github: https://github.com/bdcht/amoco
Architecture: ARM, AVR, SPARC, x86
Amoco is promising library. It can load shellcode file or processing raw string. However, disassembly is not automatic. I have to iterate manually, specify the address I want to interpret. It might be useful to analyze polymorphic shellcode, but let save it for later.
Accuracy is acceptable. It’s able to disassemble some shellcode correctly.
Xathrya’s rate: 3/5.
Capstone
Github: https://github.com/aquynh/capstone
Architecture: ARM, AArch64, BPF, EVM, M68K, M680X, MOS65xx, MIPS, PPC, RISCV, SPARC, SystemZ, TMS320C64x, WAsm, x86/x64, XCore.
Capstone is truly a library for disassembly. Python binding is smooth. Some tools use Capstone for disassembly. Truly beautiful.
Capstone support so many architectures. Integration is easy. As seen, I only invoke a function to do disassembly and iterate over them.
Xathrya’s rate: 5/5
Distorm3
Github: https://github.com/gdabah/distorm
Architecture: x86/x64
Accuracy is good. Easy to use, similar to Capstone. Personally, I like this second to Capstone, despite Distorm3 support only x86/x64 architecture.
Xathrya’s rate: 4/5
Miasm
Github: https://github.com/cea-sec/miasm
Architecture: ARM, MIPS, MSP430, SH4, x86
Last place in my favorite, but doesn’t mean it’s bad.
Miasm is a huge tools. As a framework for Reversing in Python, it also has capability for disassembling. There are some alternatives way to do disassembly but I will use the easiest one.
Disassembling a shellcode need some attention here. I can read the raw string. The problem is, I have to instantiate some class to disassemble, abstraction is little here.
Disassembly result in blocks. You can traverse block by block, see the flow textually. While it is good thing in some cases, it might be too overwhelm for our test.
Xathrya’s rate: 4/5
So, why do I evaluate them? That’s a secret for now. Follow MII Cybersec, see our upcoming project.
