M3rcuryLake/Nyxelf: Nyxelf is a highly effective tool tailored for analyzing malicious Linux ELF binaries, offering comprehensive support for both static and dynamic analysis techniques.
Nyxelf is a powerful tool for analyzing malicious Linux ELF binaries, offering both static and dynamic analysis. It combines tools such as readelf, objdumpand pyelftools for static analysis using a custom sandbox for dynamic analysis in a controlled environment using QEMU, a small Buildroot-generated image, and strace. With Nyxelf, you can gain deep insights into executable files, including unpacking, syscall tracing, and process/file activity monitoring, all presented through an intuitive GUI that operated by pywebview.
Json files and other logs are stored in /datawhile the file-system and kernel image are stored in the /sandbox.
Install the required packages: Make sure you have python3 and python-pip installed and path set and run the following commands,
sudo apt install qemu-kvm libvirt-daemon-system libvirt-clients bridge-utils virt-manager e2tools -y
git clone https://github.com/m3rcurylake/nyxelf.git
cd nyxelf && pip install -r requirements.txt
After everything is installed, you can run Nyxelf as follows:
-
Static Analysis:
- Explore ELF headings, sections, and symbols.
- Decode assembly and variable data.
- Analyze suspicious imports that may be related to anti-debugging.
-
Dynamic Analysis:
- Run the binary in a secure QEMU-based sandbox.
- Record process activity, syscalls, and file interactions
strace. - Supports custom verbosity for syscall tracing.
-
Other Features:
- Optional automatic UPX unpacking.
- JSON output for automated workflows.
- Adjustable syscall trace verbosity and string length filtering.
>> python3 Nyxelf.py (-h) (--unpack) (--json) --file FILE (--short) (--length LENGTH)
_____ ___ ___ ___ ___ ___ _______ ___ _______
(" \|" \ |" \/" | |" \/" "https://github.com/" "| |" "https://github.com/" "|
|.\\ \ | \ \ / \ \ / (: ______) || | (: ______)
|: \. \\ | \\ \/ \\ \/ \/ | |: | \/ |
|. \ \. | / / /\. \ // ___)_ \ |___ // ___)
| \ \ | / / / \ \ (: "| ( \_|: \ (: (
\___|\____\) |___/ |___/\___| \_______) \_______) \__/
(Another ELF Analysis Framework)
options:
-h, --help show this help message and exit
--unpack Attempt to unpack UPX file before analysis.
--json Save JSON output of the analysis.
--file FILE Path to the file to be analyzed.
--short Use short trace output (hides args and reduces verbosity).
--length LENGTH Maximum length of ASCII strings in strace output.
Nyxelf simplifies static and dynamic analysis of ELF binaries,
enabling you to extract valuable insights effortlessly.
And can be used for vulnerability assessments, unpacking,
syscall tracing, and memory analysis.
Examples:
Analyze an ELF file statically and dynamically:
python3 nyxelf.py --file path/example.elf --json --unpack
Perform a detailed syscall trace with reduced verbosity:
python3 nyxelf.py --file path/example.elf --short --length 1024
Happy analyzing!
(&) https://github.com/m3rcurylake
(&) By Ankit Mukherjee
.
├── data
├── frontend
│ ├── assets
│ │ ├── BebasNeue-Regular.ttf
│ │ └── Nunito-Regular.ttf
│ └── styles
│ └── static.css
├── nyxelf.py
├── README.md
├── requirements.txt
├── sandbox
│ ├── bzImage
│ └── rootfs.ext2
└── src
├── __init__.py
├── modules
│ ├── anti_debug_apis.py
│ ├── __init__.py
│ ├── __main__.py
│ ├── packer_detection.py
│ ├── section_entropy.py
│ └── variables.py
├── sandbox.py
├── static_analysis.py
└── trace_parser.py
- Decompiler and Disassembler Support
- Network Analysis
- Better UI and Optimization
- Anti anti-debugging for ptrace etc.
- Disassemble the Pyinstaller files
- Add Effective Logging
https://opengraph.githubassets.com/23b60a12807023df88755d911fe3e90912af2b20d82c5cd7941ee9aba7121303/M3rcuryLake/Nyxelf
2025-01-14 11:33:00
