CPD is a Python script that analyzes binary files to identify specific Windows API functions and libraries using the r2pipe library. This tool helps detect the presence of critical system functions and libraries that may indicate potential process manipulation or critical operations within a binary.
To use CPD, ensure you have the following installed:
- Radare2 - A powerful open-source reverse engineering framework.
- r2pipe - A Python library for interacting with Radare2.
Install r2pipe using pip:
pip install r2pipeRun the CPD script with the path to the binary you want to analyze. The script will analyze the binary and print out relevant information about the presence of specific functions and libraries.
python CPD.py <path to binary>python CPD.py /path/to/your/binary.exeThe script will produce output indicating whether the following components are found in the binary:
ntdll.dll: Indicates that the ntdll.dll library is present.
NtSetInformationProcess: A function often used in process manipulation.
RtlSetProcessIsCritical: A function used to mark a process as critical, affecting system behavior.
- Open Binary: The script opens the specified binary file using r2pipe and Radare2.
- Analyze Imports: It performs a full analysis of symbols and imports using the command aaa;iij.
- Detect Components: The script parses the results to check for the presence of ntdll.dll, NtSetInformationProcess, and RtlSetProcessIsCritical.
- Print Results: It prints messages to the console if any of the specified components are found.
The script will produce output indicating whether the following components are found in the binary:
[+] Found ntdll.dll
[+] Found NtSetInformationProcess
[+] Found RtlSetProcessIsCriticalThis is a POC & a fun project that helped me understand the r2pipe libray but this is by no way a effective way to detect those imports. Attackers can easily hide the imports from static analysis tools like this script, for example packing would be the easiest way to acheive that.