{"id":21469943,"url":"https://github.com/dobin/avred","last_synced_at":"2025-04-08T01:36:16.379Z","repository":{"id":154237577,"uuid":"494056826","full_name":"dobin/avred","owner":"dobin","description":"Analyse your malware to surgically obfuscate it","archived":false,"fork":false,"pushed_at":"2025-02-26T08:12:03.000Z","size":8424,"stargazers_count":457,"open_issues_count":0,"forks_count":53,"subscribers_count":9,"default_branch":"main","last_synced_at":"2025-04-01T00:34:55.899Z","etag":null,"topics":["amsi","antivirus","antivirus-evasion","malware","malware-development","obfuscation"],"latest_commit_sha":null,"homepage":"https://avred.r00ted.ch","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/dobin.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-05-19T12:12:34.000Z","updated_at":"2025-03-23T14:54:40.000Z","dependencies_parsed_at":"2025-01-27T07:02:13.928Z","dependency_job_id":"986271fd-8888-4638-89fa-9152cfab7566","html_url":"https://github.com/dobin/avred","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dobin%2Favred","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dobin%2Favred/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dobin%2Favred/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dobin%2Favred/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/dobin","download_url":"https://codeload.github.com/dobin/avred/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247761051,"owners_count":20991531,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["amsi","antivirus","antivirus-evasion","malware","malware-development","obfuscation"],"created_at":"2024-11-23T09:19:39.536Z","updated_at":"2025-04-08T01:36:16.360Z","avatar_url":"https://github.com/dobin.png","language":"Python","readme":"# avred\n\nAntiVirus REDucer for AntiVirus REDteaming.\n\nAvred is being used to identify which parts of a file are identified\nby a Antivirus, and tries to show as much possible information and context about each match. \n\nThis includes: \n* Section names of matches\n* Verification of matches\n* Augmentation of matches as disassembled code or data references\n\nIt is mainly used to make it easier for RedTeamers to obfuscate their tools. \n\nCheck it out: [avred.r00ted.ch](https://avred.r00ted.ch)\n\nSlides: [HITB Slides Cracking The Shield.pdf](https://github.com/dobin/avred/blob/main/doc/HITB%20Slides%20Cracking%20the%20Shield.pdf)\n\n\n## Comparison to ThreatCheck\n\nCompared to ThreatCheck, avred has multiple features:\n\n* Shows all matches (not just one)\n* Verifies the matches to make sure they work\n* Shows more information of matches\n* Shows relevance of match, so you can target the weakest one\n\n \n## Background\n\nMost antivirus engines rely on strings or other bytes sequences to recognize malware.\nThis project helps to automatically recover these signatures (matches).\n\nThe difference to similar projects is: \n* Knowledge of internal file structures. \n  * Can extract vbaProject.bin and modify it \n  * Knows about PE sections and scan each one individually\n  * Knows .NET streams\n* Supports any Antivirus (thanks to AMSI server via HTTP)\n* Shows detailed information about each match (disassembly etc.)\n* Verifies the matches\n\n\n## Supported files:\n\n* PE (EXE) files, r2 disassembly\n* PE .NET files, dncil disassembly\n* Word files, pcodedmp disassembly\n\n\n## Example\n\n```\n$ ./avred.py --file app/upload/DripLoader.exe \n[...]\nDripLoader.exe size: 93184  ident: PE EXE 64\nScannerInfo: zero-sections,section-scan\nMatches: \nid:0  offset:12991  len:195\n  Section: .text\n  Hexdump: \n00012991   48 81 C4 98 13 00 00 C3 CC CC CC CC CC CC CC C3    H...............\n000129A1   4D 8B C2 49 C7 C2 01 00 00 00 4D 33 D2 49 C7 C2    M..I......M3.I..\n000129B1   0A 00 00 00 4C 8B D1 33 C0 4D 2B C2 83 C0 18 4D    ....L..3.M+....M\n000129C1   33 C0 0F 05 C3 48 83 C1 0A 33 C0 4C 8B D1 83 C0    3....H...3.L....\n000129D1   3A 49 83 EA 0A 48 83 E9 0A 0F 05 C3 49 83 C2 1C    :I...H......I...\n000129E1   33 C0 4C 8B D1 49 83 EA 01 83 C0 50 49 83 C2 01    3.L..I.....PI...\n000129F1   0F 05 C3 4C 8B E1 4C 8B EA 4D 8B F0 4D 8B F9 4C    ...L..L..M..M..L\n00012A01   8B D1 48 33 C0 05 C1 00 00 00 0F 05 48 83 F8 00    ..H3........H...\n00012A11   74 8D 49 8B CC 49 8B D5 4D 8B C6 4D 8B CF 4C 8B    t.I..I..M..M..L.\n00012A21   D1 48 33 C0 05 BD 00 00 00 0F 05 48 83 F8 00 0F    .H3........H....\n00012A31   84 6A FF FF FF 49 8B CC 49 8B D5 4D 8B C6 4D 8B    .j...I..I..M..M.\n00012A41   CF 4C 8B D1 48 33 C0 05 BC 00 00 00 0F 05 48 83    .L..H3........H.\n00012A51   F8 00 0F                                           ...\n[...]\n```\n\n\n## Upgrades\n\nNote: Data is stored in pickled `.outcome` files. When i change the model, \nweird things gonna happen. \n\nUsually this will solve it: \n```\n$ rm app/upload/*.outcome; rm app/upload/*.log\n$ for i in app/upload/*; do ./avred.py --file \"$i\"; done\n```\n\nWith hashcache enabled, this should be quick.\n\n\n## Install \n\nRequires: python 3.8\n\nInstall python deps:\n```\npip3 install --upgrade -r requirements.txt\n```\n\nIf you get the error `ImportError: failed to find libmagic. Check your installation` try: \n```\npip3 install python-magic-bin==0.4.14\n```\n\nInstall radare2:\n* follow [instructions](https://github.com/radareorg/radare2#installation) on radare2 github\n* Or download exe from github [releases](https://github.com/radareorg/radare2/releases) and add to your `PATH` (e.g. on windows)\n\nNote: Make sure you have dnfile \u003e= 0.14.1 installed\n\n\n## Setup\n\nFirst, we need a windows instance with an antivirus. We use [avred-server](https://github.com/dobin/avred-server) as interface to this antivirus on a Windows host.\n\nLets install and configure avred-server on windows VM `1.1.1.1:9001`. \nFollow install instructions on [avred-server](https://github.com/dobin/avred-server) README. \n\nOnce you have this and its working properly (`use curl 1.1.1.1:9001/test`), you can setup avred:\n* Configure your server IP in `config.yaml` (eg `\"amsi\": \"1.1.1.1:9001\"`)\n* Test it by scanning a file with: `./avred.py --file test.ps1 --server amsi`\n\nIt should look like this:\n```\n$ r2 -v\nradare2 5.7.2 0 @ linux-x86-64 git.\ncommit: 5.7.2 build: 2022-07-02__14:15:22\n\n$ cat config.yaml\nserver:\n  amsi: \"http://1.1.1.1:8001/\"\n\n$ curl http://1.1.1.1:8001/test\n{\"benign detected\":false,\"malicous detected\":true,\"msg\":\"working as intended\"}\n\n$ ./avred.py --file test.ps1 --server amsi\n[INFO    ][2023/03/09 18:33][avred.py: 71] main() :: Using file: test.ps1\n[INFO    ][2023/03/09 18:33][avred.py: 90] scanFile() :: Handle file: test.ps1\n[INFO    ][2023/03/09 18:33][avred.py:115] scanFile() :: Using parser for PLAIN\n[ERROR   ][2023/03/09 18:33][avred.py:172] scanFile() :: test.ps1 is not detected by amsi\n[INFO    ][2023/03/09 18:33][avred.py:180] scanFile() :: Found 0 matches\n[INFO    ][2023/03/09 18:33][avred.py:206] scanFile() :: Wrote results to test.ps1.outcome\n```\n\n\n## How to use\n\nAs a web server: \n```sh\n$ python3 avredweb.py --listenip 127.0.0.1 --listenport 8080\n```\n\nIf you dont want that every user is able to see every uploaded file,\nset password in `config.yaml` in key `password`, use username `admin`.\n\n\nFrom command line: \n```sh\n$ python3 avred.py --server amsi --file app/upload/evil.exe\n```\n\n\n## File and Directory structure\n\nI am team NO-DB. Only files.\n\nFile nomenclature: \n* `file.exe`: The file you want to scan\n* `file.exe.log`: All log output of the scanning (with `--logtofile`)\n* `file.exe.outcome`: Pickled Outcome data structure with all further information\n* `file.exe.pdb`: If you have debug symbols\n\nFor the webapp, files are uploaded to `app/uploads/`. \n\n\n## Docker\n\nBuild:\n```\n$ podman build -t avred .\n```\n\nrun:\n```\n$ podman run -p 9001:5000 -e \"server=http://1.1.1.1:8001\" --name avred -d avred\n```\n\nrun with upload directory mounted:\n```\n$ podman run -p 9001:5000 -e \"server=http://1.1.1.1:8001\" -v $HOME/avred-uploads:/opt/avred/app/upload/  --name avred -d avred \n```\n\n\n## References\n\nSimilar to: \n* https://github.com/matterpreter/DefenderCheck\n* https://github.com/rasta-mouse/ThreatCheck\n* https://github.com/RythmStick/AMSITrigger\n\nBased on: \n* https://github.com/scrt/avdebugger\n\n\n## Tests\n\nCoverage:\n```\npython3 -m coverage run -m unittest  -\u003e .coverage\npython3 -m coverage report  -\u003e stdout \npython3 -m coverage html  -\u003e ./htmlcov/index.html\n```\n","funding_links":[],"categories":["Other Lists"],"sub_categories":["🧪 LAB"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdobin%2Favred","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdobin%2Favred","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdobin%2Favred/lists"}