elf的UPX检测

qux-bbb · qux-bbb · commit f5d2fac0821f · 2022-07-20T07:16:02.000+08:00
diff --git a/tests/test_data/hello64_elf_static_upx_ b/tests/test_data/hello64_elf_static_upx_
diff --git a/tests/test_packer.py b/tests/test_packer.py
@@ -7,14 +7,23 @@
 
 cur_dir_path = Path(__file__).parent
 
-def test_upx_packer():
+
+def test_exe_upx_packer():
     upxed_path = cur_dir_path / 'test_data' / 'Hello_upx.exe_'
     file_analyzer = FileAnalyzer(upxed_path)
     pe_analyzer = PeAnalyzer(file_analyzer)
     matches = pe_analyzer.get_packer_result()
     assert matches == ['UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser']
 
 
+def test_elf_upx_packer():
+    upxed_path = cur_dir_path / 'test_data' / 'Hello64_elf_static_upx_'
+    file_analyzer = FileAnalyzer(upxed_path)
+    elf_analyzer = ElfAnalyzer(file_analyzer)
+    matches = elf_analyzer.get_packer_result()
+    assert matches == ['UPX 3.96']
+
+
 def test_pyinstaller_packer():
     pe_path = cur_dir_path / 'test_data' / 'pyinstaller_pack.exe_'
     file_analyzer = FileAnalyzer(pe_path)
diff --git a/xanalyzer/file.py b/xanalyzer/file.py
@@ -184,9 +184,7 @@ def get_wide_strs(self):
     def get_tool_recommendations(self):
         recommended_tool_names = []
 
-        if 'UPX compressed' in self.file_type:
-            recommended_tool_names.append('UPX')
-        elif 'Mono/.Net assembly' in self.file_type:
+        if 'Mono/.Net assembly' in self.file_type:
             recommended_tool_names.append('dnSpy')
         elif 'APK(Android application package)' in self.file_type:
             recommended_tool_names.append('JADX')
@@ -205,6 +203,8 @@ def get_tool_recommendations(self):
             recommended_tool_names.extend(['Wireshark', 'BruteShark'])
 
         for packer in self.packer_list:
+            if packer.startswith('UPX '):
+                recommended_tool_names.append('UPX')
             if packer.startswith('PyInstaller,'):
                 recommended_tool_names.append('PyInstaller Extractor')
 
diff --git a/xanalyzer/file_process/elf.py b/xanalyzer/file_process/elf.py
@@ -1,5 +1,6 @@
 # coding:utf8
 
+import re
 from xanalyzer.utils import log
 
 
@@ -18,7 +19,16 @@ def get_packer_result(self):
         if b'E: neither argv[0] nor $_ works.' in file_content:
             matches = ['Shc, Shell script compiler, https://github.com/neurobin/shc']
             return matches
-
+        
+        # Check UPX
+        if b'$Info: This file is packed with the UPX executable packer' in file_content:
+            upx_ver_s = re.search(rb'\$Id: (UPX .+?) Copyright', file_content)
+            if upx_ver_s:
+                matches = [upx_ver_s.group(1).decode()]
+            else:
+                matches = ['UPX unknown version']
+            return matches
+            
         return None
 
     def packer_scan(self):
