M3rcuryLake/Nyxelf: Nyxelf is a highly effective tool tailored for analyzing malicious Linux ELF binaries, offering comprehensive support for both static and dynamic analysis techniques.

2025-01-14 03:33:00
github.com

Nyxelf is a powerful tool for analyzing malicious Linux ELF binaries, offering both static and dynamic analysis. It combines tools like readelf, objdump, and pyelftools for static analysis with a custom sandbox for dynamic analysis in a controlled environment using QEMU, a minimal Buildroot-generated image, and strace. With Nyxelf, you can gain deep insights into executable files, including unpacking, syscall tracing, and process/file activity monitoring, all presented through an intuitive GUI powered by pywebview.

Json files and other logs are saved to /data, while the file-system and kernel image is saved to /sandbox.

Install required packages: Ensure you have python3 and python-pip installed and set to path and run the following commands,

sudo apt install qemu-kvm libvirt-daemon-system libvirt-clients bridge-utils virt-manager e2tools -y
git clone https://github.com/m3rcurylake/nyxelf.git
cd nyxelf && pip install -r requirements.txt

After everything is completely installed, you can run Nyxelf as following:

Static Analysis:
- Inspect ELF headers, sections, and symbols.
- Decode assembly and variable data.
- Analyze suspicious imports which can be related to anti-debugging.
Dynamic Analysis:
- Run binaries in a secure QEMU-based sandbox.
- Record process activity, syscalls, and file interactions with strace.
- Supports custom verbosity for syscall tracing.
Other Features:
- Optional automatic UPX unpacking.
- JSON output for automated workflows.
- Adjustable syscall trace verbosity and string length filtering.

>> python3 Nyxelf.py [-h] [--unpack] [--json] --file FILE [--short] [--length LENGTH]

 _____  ___    ___  ___   ___  ___    _______   ___         _______
("   \|"  \  |"  \/"  | |"  \/"  "https://github.com/"     "| |"  "https://github.com/"     "|
|.\\   \    |  \   \  /   \   \  /  (: ______) ||  |      (: ______)
|: \.   \\  |   \\  \/     \\  \/    \/    |   |:  |       \/    |
|.  \    \. |   /   /      /\.  \    // ___)_   \  |___    // ___)
|    \    \ |  /   /      /  \   \  (:      "| ( \_|:  \  (:  (
 \___|\____\) |___/      |___/\___|  \_______)  \_______)  \__/

            [Another ELF Analysis Framework]

options:
  -h, --help       show this help message and exit
  --unpack         Attempt to unpack UPX file before analysis.
  --json           Save JSON output of the analysis.
  --file FILE      Path to the file to be analyzed.
  --short          Use short trace output (hides args and reduces verbosity).
  --length LENGTH  Maximum length of ASCII strings in strace output.

Nyxelf simplifies static and dynamic analysis of ELF binaries,
enabling you to extract valuable insights effortlessly.
And can be used for vulnerability assessments, unpacking,
syscall tracing, and memory analysis.

Examples:
  Analyze an ELF file statically and dynamically:
    python3 nyxelf.py --file path/example.elf --json --unpack

  Perform a detailed syscall trace with reduced verbosity:
    python3 nyxelf.py --file path/example.elf --short --length 1024

Happy analyzing!
[&] https://github.com/m3rcurylake
[&] By Ankit Mukherjee

.
├── data
├── frontend
│   ├── assets
│   │   ├── BebasNeue-Regular.ttf
│   │   └── Nunito-Regular.ttf
│   └── styles
│       └── static.css
├── nyxelf.py
├── README.md
├── requirements.txt
├── sandbox
│   ├── bzImage
│   └── rootfs.ext2
└── src
    ├── __init__.py
    ├── modules
    │   ├── anti_debug_apis.py
    │   ├── __init__.py
    │   ├── __main__.py
    │   ├── packer_detection.py
    │   ├── section_entropy.py
    │   └── variables.py
    ├── sandbox.py
    ├── static_analysis.py
    └── trace_parser.py

Decompiler and Disassembler Support
Network Analysis
Better UI and Optimisation
Anti anti-debugging for ptrace etc.
Disassemble Pyinstaller files
Add Effective Logging

Source Link

Keep your files stored safely and securely with the SanDisk 2TB Extreme Portable SSD. With over 69,505 ratings and an impressive 4.6 out of 5 stars, this product has been purchased over 8K+ times in the past month. At only $129.99, this Amazon’s Choice product is a must-have for secure file storage.

Help keep private content private with the included password protection featuring 256-bit AES hardware encryption. Order now for just $129.99 on Amazon!

Start your free Amazon Prime trial
today and unlock unlimited streaming and more!

Support Techcratic

If you find value in Techcratic’s insights and articles, consider supporting us with Bitcoin. Your support helps me, as a solo operator, continue delivering high-quality content while managing all the technical aspects, from server maintenance to blog writing, future updates, and improvements. Support Innovation! Thank you.

Bitcoin Address:

bc1qlszw7elx2qahjwvaryh0tkgg8y68enw30gpvge

Please verify this address before sending funds.