{"id":24413955,"url":"https://github.com/m3rcurylake/nyxelf","last_synced_at":"2025-04-07T14:11:43.922Z","repository":{"id":272355524,"uuid":"916296847","full_name":"M3rcuryLake/Nyxelf","owner":"M3rcuryLake","description":"Nyxelf is a highly effective tool tailored for analyzing malicious Linux ELF binaries, offering comprehensive support for both static and dynamic analysis techniques.","archived":false,"fork":false,"pushed_at":"2025-01-25T08:58:18.000Z","size":15663,"stargazers_count":104,"open_issues_count":0,"forks_count":6,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-03-31T13:15:47.790Z","etag":null,"topics":["antivirus","binary","binary-analysis","linux-sandbox","malware-analysis","malware-research","reverse-engineering","sandbox","security"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/M3rcuryLake.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2025-01-13T20:32:08.000Z","updated_at":"2025-02-18T14:42:00.000Z","dependencies_parsed_at":"2025-03-24T12:13:17.167Z","dependency_job_id":"715adb69-d3e8-4565-a3ac-399f904b21c6","html_url":"https://github.com/M3rcuryLake/Nyxelf","commit_stats":null,"previous_names":["m3rcurylake/nyxelf"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/M3rcuryLake%2FNyxelf","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/M3rcuryLake%2FNyxelf/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/M3rcuryLake%2FNyxelf/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/M3rcuryLake%2FNyxelf/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/M3rcuryLake","download_url":"https://codeload.github.com/M3rcuryLake/Nyxelf/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247666009,"owners_count":20975787,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["antivirus","binary","binary-analysis","linux-sandbox","malware-analysis","malware-research","reverse-engineering","sandbox","security"],"created_at":"2025-01-20T07:16:40.356Z","updated_at":"2025-04-07T14:11:43.904Z","avatar_url":"https://github.com/M3rcuryLake.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Nyxelf\n  \n![Static Badge](https://img.shields.io/badge/made_by-m3rcurylake-orange?style=for-the-badge) ![GitHub License](https://img.shields.io/github/license/m3rcurylake/nyxelf?style=for-the-badge) ![GitHub Created At](https://img.shields.io/github/created-at/m3rcurylake/nyxelf?style=for-the-badge) ![GitHub last commit](https://img.shields.io/github/last-commit/m3rcurylake/nyxelf?style=for-the-badge) ![GitHub commit activity](https://img.shields.io/github/commit-activity/t/m3rcurylake/nyxelf?style=for-the-badge) ![GitHub Issues](https://img.shields.io/github/issues/M3rcurylake/nyxelf?style=for-the-badge)  ![GitHub Repo stars](https://img.shields.io/github/stars/M3rcurylake/nyxelf)\n\n\u003ctable\u003e\n\u003ctr\u003e\n\u003ctd\u003e\n\u003cdiv align='center'\u003e\n  \n### _About_\n  \nNyxelf is a powerful tool for analyzing malicious Linux ELF binaries, offering both **static** and **dynamic** analysis. It combines tools like `readelf`, `objdump`, and `pyelftools` for static analysis with a custom sandbox for dynamic analysis in a controlled environment using QEMU, a minimal Buildroot-generated image, and `strace`. Also it decompiles binary data to Assembly and C like pseudocode using `capstone` and `angr`. With Nyxelf, you can gain deep insights into executable files, including unpacking, syscall tracing, and process/file activity monitoring, all presented through an intuitive GUI powered by `pywebview`. \n\n\u003c/div\u003e\n\u003c/table\u003e\n\u003c/tr\u003e\n\u003c/td\u003e \n\n## Features:\n\n- **Static Analysis**:\n  - Inspect ELF headers, sections, and symbols.\n  - Decode assembly and variable data.\n  - Analyze suspicious imports which can be related to anti-debugging.\n  \n- **Dynamic Analysis**:\n  - Run binaries in a secure QEMU-based sandbox.\n  - Record process activity, syscalls, and file interactions with `strace`.\n  - Supports custom verbosity for syscall tracing.\n \n- **Decompilation**:\n  - Decompiles binary to Assembly and C like pseudocode using `capstone` and `angr`.\n  - Tries to retrive variable data from `.rodata` and `.data` sections.\n  - Uses `highlightjs`  CDNs for syntax highlighting.\n\n- **Other Features**:\n  -  Optional automatic UPX unpacking.\n  - JSON output for automated workflows.\n  - Adjustable syscall trace verbosity and string length filtering.\n\n\u003e [!NOTE]\n\u003e JSON files and other logs are saved to `/data`, while the file-system and kernel image is saved to `/sandbox`. \n\n\n## System Dependencies:\n\n**Install required packages**: Ensure you have python3 and python-pip installed and set to path and run the following commands, \n\n```bash\nsudo apt install qemu-kvm libvirt-daemon-system libvirt-clients bridge-utils virt-manager e2tools -y\ngit clone https://github.com/m3rcurylake/nyxelf.git\ncd nyxelf \u0026\u0026 pip install -r requirements.txt\n```\n\nAfter everything is completely installed, you can run Nyxelf as following:\n\n```bash\npython3 nyxelf.py --help\n```\n\n\n## Usage\n\nTo start analysing binaries, refer to the following help menu, or move to the project directory and type `python nyxelf.py --file FILE` in the terminal for a quick start, where `FILE` is the target binary. The output will be displayed in a new pywebview GUI window.\n\n```\npython nyxelf.py [-h] [--unpack] [--json] --file FILE [--short] [--length LENGTH]\n\n _____  ___    ___  ___   ___  ___    _______   ___         _______\n(\"   \\|\"  \\  |\"  \\/\"  | |\"  \\/\"  |  /\"     \"| |\"  |       /\"     \"|\n|.\\\\   \\    |  \\   \\  /   \\   \\  /  (: ______) ||  |      (: ______)\n|: \\.   \\\\  |   \\\\  \\/     \\\\  \\/    \\/    |   |:  |       \\/    |\n|.  \\    \\. |   /   /      /\\.  \\    // ___)_   \\  |___    // ___)\n|    \\    \\ |  /   /      /  \\   \\  (:      \"| ( \\_|:  \\  (:  (\n \\___|\\____\\) |___/      |___/\\___|  \\_______)  \\_______)  \\__/\n\n            [Another ELF Analysis Framework]\n\noptions:\n  -h, --help       show this help message and exit\n  --unpack         Attempt to unpack UPX file before analysis.\n  --json           Save JSON output of the analysis.\n  --file FILE      Path to the file to be analyzed.\n  --short          Use short trace output (hides args and reduces verbosity).\n  --length LENGTH  Maximum length of ASCII strings in strace output.\n\nNyxelf simplifies static and dynamic analysis of ELF binaries,\nenabling you to extract valuable insights effortlessly.\nAnd can be used for vulnerability assessments, unpacking,\nsyscall tracing, and memory analysis.\n\nExamples:\n  Analyze an ELF file statically and dynamically:\n    python3 nyxelf.py --file path/example.elf --json --unpack\n\n  Perform a detailed syscall trace with reduced verbosity:\n    python3 nyxelf.py --file path/example.elf --short --length 1024\n\nHappy analyzing!\n[\u0026] https://github.com/m3rcurylake\n[\u0026] By Ankit Mukherjee\n```\n\n\n### File Structure\n```\nNyxelf/\n├── data\n│   └── readme.md\n├── frontend\n│   ├── assets\n│   │   ├── BebasNeue-Regular.ttf\n│   │   └── Nunito-Regular.ttf\n│   └── styles\n│       ├── disassembly.css\n│       └── static.css\n├── LICENSE\n├── nyxelf.py\n├── README.md\n├── requirements.txt\n├── sandbox\n│   ├── bzImage\n│   └── rootfs.ext2\n└── src\n    ├── constructor.py\n    ├── __init__.py\n    ├── modules\n    │   ├── anti_debug_apis.py\n    │   ├── decompile.py\n    │   ├── __init__.py\n    │   ├── __main__.py\n    │   ├── packer_detection.py\n    │   ├── pseudocode.py\n    │   ├── section_entropy.py\n    │   └── variables.py\n    ├── sandbox.py\n    ├── static_analysis.py\n    └── trace_parser.py\n```\n\n## Roadmap\n\n- [x] Decompiler and Disassembler Support\n- [ ] Network Analysis\n- [ ] Better UI and Optimisation\n- [ ] Anti anti-debugging for ptrace etc.\n- [x] Detect Pyinstaller files\n- [ ] Add Effective Logging\n\n## License\nThis project is licensed under the [MIT](https://choosealicense.com/licenses/mit/) License - see the [LICENSE.md](https://github.com/m3rcurylake/nyxelf/LICENSE.md) file for details.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fm3rcurylake%2Fnyxelf","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fm3rcurylake%2Fnyxelf","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fm3rcurylake%2Fnyxelf/lists"}