Wiki
Clone wikivirusbattle-sdk / BinJuice
Getting Started
Accessing VirusBattle requires downloading and setting up the VirusBattle SDK. See Installation, Setup, Registration to setup.
BinJuice with VirusBattle
VirusBattle provides several fully automated semantic reverse engineering service. The service that extracts abstract semantics (juice) of basic blocks of x86 code is called srlJuice. To extract juice, all you need to do is upload PE-32 executable either as is and or as part of compressed archive. Wait for a few seconds, and download the result files.
Uploading to VirusBattle
See Uploading Files for a detailed HowTo. The easiest way to upload to VirusBattle is:
vbclient.py -a upload <path to file>
Checking Status
To find out if the uploaded file has been processed or not:
vbclient.py -a status <sha1 of uploaded file>
You may also want to use the Query option for details
vbclient.py -a query <sha1 of uploaded file>
Downloading Juice File
To download results of VirusBattle, use the Download action:
vbclient.py -a download <sha1 of uploaded file>
This downloads VirusBattle service result files in the ./Results folder. To avoid download of results from other services-srlStatic, etc., set the appropriate VIRUSBATTLE_SERVICE_FILTER as described below.
Generate Mapping between PE File and Juice File
To generate service maps, use the map action:
vbclient.py -a map <sha1 of uploaded file>
This creates csv map files ./Results directory containing original_file_sha1,result_file_sha1
Filter Other Services
If you are only interested in results from this service, and want to filter out results from other VirusBattle services- srlUnpacker, srlStatic, srlSimService etc., you can filter them out setting the appropriate value for the VIRUSBATTLE_SERVICE_FILTER environment variable.
export VIRUSBATTLE_SERVICE_FILTER="srlUnpacker,srlSimService,srlStatic"
The variable accepts a case-sensitive, comma separated list of service names to filter out. You can filter out as many, or as few services as you choose.
See Also
Updated