Skip to content

Setup

Jump to bottom
jholowczak-cb edited this page Aug 14, 2019 · 9 revisions

This page outlines how to setup Binee for processing binaries in your environment.

Docker

For the ease of use purposes, we have provided a Dockerfile for quickly getting started with Binee. This has the added benefit of creating a reproducible environment for testing Binee, allowing us to more easily debug across differing host systems. We recommend leveraging this Dockerfile if you are contributing to Binee.

To build the container, run the following docker command within the root of the Binee repo: docker build -t binee .

To run your newly built docker container, docker run -it -v $PWD:/bineedev/go/src/binee -v <path to malware directory>:/malware binee bash

From here all that's left is to get the dependencies for the project and build binee.

root@2b0fee41629f:~/go/src/binee# go get
root@2b0fee41629f:~/go/src/binee# go build

Now we can run binee in our container!

root@2b0fee41629f:~/go/src/binee# ./binee -v
usage ./binee [-aAhvveis] [FILE] [ARGS]
  -a <apiset dll name>     Returns the real dll name given an apiset dll
  -A                       List all apisets and their mappings
  -c FILE                  Path to a configuration file
  -d                       Show dll names with function in output
  -e FILE                  List file exports
  -h                       Show this usage menu
  -i FILE                  List file imports
  -j                       Output as JSON
  -l                       Run full DllMain of imported functions with debug output
  -s                       Run application through binee debugger
  -v[v]                    Verbosity level, two v's for more verbose

Binee cannot start emulating binaries until we set up the mock operating system.

Setting up the mock Operating System

Before being able to process binaries with Binee, we must gather the proper libraries from the operating system we are emulating.

This includes editing the applicable configuration file for each operating system, located in the config directory in the Binee project. The included configurations are necessary as they are used as the default configuration for the associated operating system. Other configurations can be added and used by including the -c <config file> when running Binee.

If you are missing any libaries, Binee will print a line in stderr that indicates the missing file from the mock operating system.

Libaries are typically placed in the os folder in the Binee project directory, with the first level subdirectories encapsulating a different operating system. Inside each of these subdirectories should be considered what the root of the installation drive would be if these were full OS installs. Libraries and any supporting files should be placed in the typical location they would be found on a full operating system (i.e. kernel32.dll in the C:\Windows\System32\ directory on Windows), but in reference to the root os folder.

Common naming scheme for os subdirectories is <os>_<bitness>

Windows

The default Windows configuration file is located at config/win.yaml. This file can be changed to suit your needs but keep in mind that Binee will not function properly if there are any errors within the configuration itself. Out of the box, Binee is configured to emulate 32-bit Windows 10. This means that to get the default configuration to work, we would have to gather DLLs from a proper installation of such, and place them in the proper directory. In the case of Windows, most of the DLLs will exist in the windows/system32 folder within the root os directory within Binee.

In this example, to setup the default, follow these steps from the Binee project root:

  1. mkdir -p os/win10_32
  2. cd os/win10_32
  3. mkdir -p windows/system32
  4. cd windows/system32
  5. cp -R <directory with dll files> .
  6. for f in `find`; do mv -v "$f" "`echo $f | tr '[A-Z]' '[a-z]'`"; done

From here Binee should have everything it needs to emulate a binary.

Note: all DLL's need to be named lowercase on linux. Step 6 is required for the conversion

If you want to emulate a different Windows version, follow the same steps as above, but change the win10_32 folder to the proper version/bitness. If you want this different version to be the default for anytime Binee is ran, change the value of the root key in config/win.yaml

Registry

For Windows, the binee configuration file allows mocking the registry. Under the registry key in config/win.yaml, keys and values can be defined for the emulation of a binary. This is particularly useful for samples that may need certain keys to exist and be populated in order to be emulated properly.

Clone this wiki locally