{"id":17383326,"url":"https://github.com/nvisosecurity/codasm","last_synced_at":"2025-04-05T23:05:57.101Z","repository":{"id":250044589,"uuid":"828982852","full_name":"NVISOsecurity/codasm","owner":"NVISOsecurity","description":"Payload encoding utility to effectively lower payload entropy.","archived":false,"fork":false,"pushed_at":"2024-11-18T08:21:11.000Z","size":1533,"stargazers_count":114,"open_issues_count":0,"forks_count":15,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-04-05T23:05:52.819Z","etag":null,"topics":["nviso-ares","offensive-security","payload","red-team","shellcode"],"latest_commit_sha":null,"homepage":"https://ares.nviso.eu/","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/NVISOsecurity.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-07-15T14:13:16.000Z","updated_at":"2025-04-01T10:27:55.000Z","dependencies_parsed_at":"2025-01-28T21:04:10.423Z","dependency_job_id":"034452ad-154a-4e34-a9b3-fd3c77a7e153","html_url":"https://github.com/NVISOsecurity/codasm","commit_stats":null,"previous_names":["nvisosecurity/codasm"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NVISOsecurity%2Fcodasm","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NVISOsecurity%2Fcodasm/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NVISOsecurity%2Fcodasm/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NVISOsecurity%2Fcodasm/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/NVISOsecurity","download_url":"https://codeload.github.com/NVISOsecurity/codasm/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247411228,"owners_count":20934653,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["nviso-ares","offensive-security","payload","red-team","shellcode"],"created_at":"2024-10-16T07:41:17.926Z","updated_at":"2025-04-05T23:05:57.069Z","avatar_url":"https://github.com/NVISOsecurity.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cdiv align=\"center\"\u003e\n  \u003cimg width=\"175px\" src=\"rsrc/codasm.png\" /\u003e\n  \u003ch1\u003eCODASM\u003c/h1\u003e\n  \u003cbr/\u003e\n\n  \u003cp\u003e\u003ci\u003eCODASM allows you to encode arbitrary data into pseudo ASM instructions and compile them into the .text section of binaries.\u003cbr /\u003eComes with 80-120% overhead (e.g. 380KB CS shellcode =\u003e 870KB CODASM payload).\u003c/i\u003e\u003c/p\u003e\n  \u003cp\u003e\u003ci\u003eWritten by \u003ca href=\"https://github.com/molatho\"\u003eMoritz Thomas\u003c/a\u003e from the \u003ca href=\"https://ares.nviso.eu/\"\u003eARES\u003c/a\u003e team at \u003ca href=\"https://www.nviso.eu/\"\u003eNVISO\u003c/a\u003e.\u003c/i\u003e\u003c/p\u003e\n  \n  \u003cbr/\u003e\n  \n\u003c/div\u003e\n\n## Table of Contents\n\n- [Table of Contents](#table-of-contents)\n- [Installation](#installation)\n- [Usage: Source code generator](#usage-source-code-generator)\n- [Usage: Shellcode wrapper](#usage-shellcode-wrapper)\n- [Concept](#concept)\n  - [Shellcode](#shellcode)\n- [Example](#example)\n- [Detection](#detection)\n    - [1. **IsPE**](#1-ispe)\n    - [2. **ExampleUsage**](#2-exampleusage)\n    - [3. **Decode**](#3-decode)\n    - [4. **PEAnalysis**](#4-peanalysis)\n    - [5. **Shellcode**](#5-shellcode)\n    - [6. **CODASMed**](#6-codasmed)\n  - [Summary](#summary)\n- [Contributing](#contributing)\n\n## Installation\n\nSimply clone the repo locally: `git clone https://github.com/NVISOsecurity/codasm`\n\n* CODASM source code generator:\n  * Python3\n* CODASM shellcode wrapper:\n  * Python3\n  * nasm\n  * mingw-w64\n  * sed\n  * grep\n  * awk\n  * dd\n\n## Usage: Source code generator\n\n```\nusage: codasm.py [-h] -i INPUT [-oa OUT_ASM] [-ob OUT_BIN] [-oc OUT_C] [-op OUT_P] [--rng RNG] [-vbmin VAL_BYTES_MIN] [-vbmax VAL_BYTES_MAX] [-vbch VAL_BYTES_CHANCE] [-v]\n\nCODASM encoding utility\n\noptions:\n  -h, --help            show this help message and exit\n  -i INPUT, --input INPUT\n                        Path to the input file to encode as ASM/binary instructions\n  -oa OUT_ASM, --out-asm OUT_ASM\n                        Path to write the generated ASM instructions to\n  -ob OUT_BIN, --out-bin OUT_BIN\n                        Path to write the generated binary instructions to\n  -oc OUT_C, --out-c OUT_C\n                        Path to write the generated CODASM decoder to\n  -op OUT_P, --out-p OUT_P\n                        Path to write the embedded payload to\n  --rng RNG             Seed for randomization (xor-key, order of payload instructions, order of decoding operations)\n  -vbmin VAL_BYTES_MIN, --val-bytes-min VAL_BYTES_MIN\n                        Minimum number of bytes to encode into a single method (default 64)\n  -vbmax VAL_BYTES_MAX, --val-bytes-max VAL_BYTES_MAX\n                        Maximum number of bytes to encode into a single method (default 256)\n  -vbch VAL_BYTES_CHANCE, --val-bytes-chance VAL_BYTES_CHANCE\n                        Chance for an operation to become encode data rather than becoming a dummy (0.1-0.9, default 0.1)\n  -v, --verbose         Level of output verbosity (0-3, default 0)\n\nNote: ASM output is meant to be used for manual reference, not for compiling!\n```\n\nExample:\n\n1. Prepare shellcode (e.g. CS/BR shellcode) and save as `shellcode.bin`\n2. Encode shellcode using CODASM: `./codasm.py --i shellcode.bin -oc codasmloader.h`\n3. Copy `codasmloader.h` into your favourite loader or into a standalone minimal loader (e.g. [/demo/codasm.c](demo/codasm.c))\n4. Ensure to call CODASM's `decode` before calling the shellcode:\n\n   ```c\n   /* ~snip CODASM decode~*/\n\n   #include \u003cstdlib.h\u003e\n\n   // \"INTEXT\" macro ensures that the payload is placed into the `.text` section\n   INTEXT uint8_t payload[5978] = {\n       0x50, 0x53, 0x51, 0x52, 0x41, 0x50, 0x41, 0x51, 0x41, 0x52, 0x41, 0x53, /* ... */\n   };\n\n   int main() {\n       uint64_t xor_key = 0xFFFDA6803A51E3FB; // Generated by CODASM\n       uint8_t* input = (uint8_t*)payload;\n       uint8_t* output = (uint8_t*)malloc(sizeof(payload));\n       uint32_t output_length = 0xac4;\n       int32_t res = 0;\n       if ((res = decode(input, sizeof(payload), output, output_length, xor_key)) \u003c 0)\n           return 1; // Some doo-doo happened, investigate value of res\n       // You successfully recovered the payload, do something fun with it here :)\n       return 0;\n   }\n   ```\n\n5. Compile your loader\n6. Ensure to `strip` the resulting binary to remove any debugging information!\n\n## Usage: Shellcode wrapper\n\n```\n$ ./codasm_shellcode.sh \nUsage: ./codasm_shellcode.sh \u003cinput_file\u003e \u003coutput_file\u003e\n```\n\nExample:\n1. Prepare shellcode (e.g. CS/BR shellcode) and save as `shellcode.bin`\n2. Generate shellcode wrapper that uses CODASM to encode it: `./codasm_shellcode.sh shellcode.bin shellcode_codasm.bin`\n3. `shellcode_codasm.bin` now holds your CODASM'ed shellcode and can be executed.\n\n## Concept\n\nPayloads (esp. shellcode) come with pretty high entropy and look out of place in most places in a compiled binary. CODASM aims to hide payloads in a place that comes with a high entropy already: the `.text` section that contains your binary's compiled code. To do so, CODASM generates legit looking shellcode that can embed any arbitrary payloads.\n\nCODASM is a Python script that generates\n\n1. legit looking shellcode for arbitrary payloads\n2. a C header file you can use in your program to embed the shellcode into a binary and retrieve it at run-time\n\nFor encoding payloads, CODASM does the following:\n\n- Generate valid x86_64 functions with prologues and epilogues and random instructions\n  - Embed payload bytes into instruction operands (e.g. `mov eax, \u003c4 bytes of payload\u003e`)\n  - XOR encrypt the embedded payload bytes\n\nFor decoding payloads, the generated C header file does the following:\n\n- Parse single instructions until the desired number of payload bytes was retrieved:\n  - Detect individual instructions, determine whether they contain payload bytes\n  - If an instruction contains payload bytes, extract and decrypt them\n\n### Shellcode\n\nThe shellcode wrapper simply holds the CODASM encoded payload, the abovementioned decoder and a brief ASM stub that calls the decoder.\n\n## Example\n\n```bash\n# Input file\n$ cat test.txt\nmy secret message\n\n# Encode \u0026 generate C file\n$ ./codasm.py -i test.txt -ob test.bin -oa test.asm -oc test.c\n\n# Generated mashine code\n$ xxd test.bin\n00000000: 5053 5152 4150 4151 4152 4153 4154 4155  PSQRAPAQARASATAU\n00000010: 4156 4157 4883 ec28 751b 757f c705 5696  AVAWH..(u.u...V.\n00000020: 44e9 6df6 61d6 84c0 488d 0d91 9e02 2640  D.m.a...H.....\u0026@\n00000030: 32ff b91b 8052 f975 8283 f99c 85c9 7513  2....R.u......u.\n00000040: 4883 c428 415f 415e 415d 415c 415b 415a  H..(A_A^A]A\\A[AZ\n00000050: 4159 4158 5a59 5b58 c3cc                 AYAXZY[X..\n\n# Generated ASM\n$ cat test.asm\npush rax\n...\npush r15\nsub RSP, 0x28\njnz 0x1B\njnz 0x7F\nmov 0xE9449656,0xD661F66D\ntest al,al\nlea 0x26029E91\nxor dil,dil\nmov ecx,0xF952801B\njnz 0x82\ncmp ecx,0x9C\ntest ecx,ecx\njnz 0x13\nadd RSP, 0x28\npop r15\n...\npop rax\nretn\n; Padding\n\n# Prepare generated C file for compilation\n$ sed -i \"s/\\/\\* Generated.*//\" test.c\n$ sed -i \"s/Sample usage://\" test.c\n$ sed -i \"s/}\\*\\//}/\" test.c\n\n# Minimal program in C file:\n$ tail -n 30 test.c\n\n#endif // CODASM_DECODE\n\n\n\n\n#include \u003cstdlib.h\u003e\n\nINTEXT uint8_t payload[90] = {\n    0x50, 0x53, 0x51, 0x52, 0x41, 0x50, 0x41, 0x51, 0x41, 0x52, 0x41, 0x53, /* ... */\n\nint main() {\n    uint64_t xor_key = 0xFBE38A21E5760676;\n    uint8_t* input = (uint8_t*)payload;\n    uint8_t* output = (uint8_t*)malloc(sizeof(payload));\n    uint32_t output_length = 0x11;\n    int32_t res = 0;\n    if ((res = decode(input, sizeof(payload), output, output_length, xor_key)) \u003c 0)\n        return 1; // Some doo-doo happened, investigate value of res\n    // You successfully recovered the payload, do something fun with it here :)\n    return 0;\n}\n\n# Compile using MINGW\n$ x86_64-w64-mingw32-gcc test.c -o test.exe\n\n# Find generated ASM in compiled EXE:\n$ objdump -d test.exe\n\n...\n0000000140002da0 \u003cpayload\u003e:\n   140002da0:\t50                   \tpush   %rax\n   ...\n   140002db2:\t41 57                \tpush   %r15\n   140002db4:\t48 83 ec 28          \tsub    $0x28,%rsp\n   140002db8:\t75 1b                \tjne    140002dd5 \u003cpayload+0x35\u003e\n   140002dba:\t75 7f                \tjne    140002e3b \u003cmain+0x41\u003e\n   140002dbc:\tc7 05 56 96 44 e9 6d \tmovl   $0xd661f66d,-0x16bb69aa(%rip)        # 12944c41c \u003c__size_of_stack_reserve__+0x12924c41c\u003e\n   140002dc3:\tf6 61 d6\n   140002dc6:\t84 c0                \ttest   %al,%al\n   140002dc8:\t48 8d 0d 91 9e 02 26 \tlea    0x26029e91(%rip),%rcx        # 16602cc60 \u003c.debug_ranges+0x25fde970\u003e\n   140002dcf:\t40 32 ff             \txor    %dil,%dil\n   140002dd2:\tb9 1b 80 52 f9       \tmov    $0xf952801b,%ecx\n   140002dd7:\t75 82                \tjne    140002d5b \u003cdecode+0x4f\u003e\n   140002dd9:\t83 f9 9c             \tcmp    $0xffffff9c,%ecx\n   140002ddc:\t85 c9                \ttest   %ecx,%ecx\n   140002dde:\t75 13                \tjne    140002df3 \u003cpayload+0x53\u003e\n   140002de0:\t48 83 c4 28          \tadd    $0x28,%rsp\n   140002de4:\t41 5f                \tpop    %r15\n   ...\n   140002df7:\t58                   \tpop    %rax\n   140002df8:\tc3                   \tret\n   140002df9:\tcc                   \tint3\n...\n```\n\n\u003e Note that the compiled binary wasn't stripped, hence there's identifiers like `payload` showing up.\n\nThe embedded payload looks like this in IDA:\n![](rsrc/disassembly.png)\n\n## Detection\n\nYou can use the following YARA rules to potentially detect a PECOFF file that embeds output generated by CODASM. You can find a brief description of the rules below the code block.\n\n```yara\n\nimport \"pe\"\nimport \"math\"\n\n\nprivate rule IsPE\n{\n    meta:\n        description = \"Tests whether the file starts with the MZ header.\"\n        author = \"Moritz Thomas\"\n        date = \"2024-07-24\"\n\n    condition:\n        uint16(0) == 0x5A4D\n}\n\nprivate rule ExampleUsage\n{\n    meta:\n        description = \"Detects malloc and invoking the decode function, passing in references to the .data section\"\n        author = \"Moritz Thomas\"\n        date = \"2024-07-24\"\n\n    strings:\n        $AllocDecode = {\n            8b 0d ?? ?? ?? ??   // MOV ECX, dword ptr [DAT_1400fb070]\n            89 4c 24 ??         // MOV dword ptr [RSP + 0x3c], ECX\n            e8 ?? ?? ?? ??      // CALL MSVCRT.DLL::malloc\n                               // ECX = DAT_1400fb070\n                               // [RSP + 0x3c] = ECX\n                               // malloc()\n            8b 15 ?? ?? ?? ??   // MOV EDX, dword ptr [DAT_1400fb080]\n            44 8b 4c 24 ??      // MOV R9D, dword ptr [RSP + 0x3c]\n                               // EDX = DAT_1400fb080\n                               // R9D = [RSP + 0x3c]\n            48 8d 0d ?? ?? ?? ?? // LEA RCX, [FUN_140001460]\n            48 89 c3            // MOV RBX, RAX\n            48 8b 05 ?? ?? ?? ?? // MOV RAX, qword ptr [DAT_1400fb090]\n            49 89 d8            // MOV R8, RBX\n            48 89 44 24 ??      // MOV qword ptr [RSP + 0x20], RAX\n                               // RCX = \u0026FUN_140001460\n                               // RBX = RAX\n                               // RAX = DAT_1400fb090\n                               // R8 = RBX\n                               // [RSP + 0x20] = RAX\n            e8 ?? ?? ?? ??      // CALL FUN_1400f9cf0\n                               // FUN_1400f9cf0()\n            89 c2               // MOV EDX, EAX\n            85 c0               // TEST EAX, EAX\n            79 13               // JNS LAB_1400fac7b\n                               // EDX = EAX\n                               // if (EAX \u003e= 0) goto LAB_1400fac7b\n            48 8d 0d ?? ?? ?? ?? // LEA RCX, [LAB_1400fc0e3]\n            e8 ?? ?? ?? ??      // CALL FUN_1400faae0\n                               // RCX = \u0026LAB_1400fc0e3\n                               // FUN_1400faae0()\n            b8 01 00 00 00      // MOV EAX, 0x1\n            eb ??               // JMP LAB_1400faca3\n                               // EAX = 1\n                               // goto LAB_1400faca3\n            83 f8 42            // CMP EAX, 0x42\n            75 ??               // JNZ LAB_1400fac8a\n                               // if (EAX != 0x42) goto LAB_1400fac8a\n            b9 22 00 00 00      // MOV ECX, 0x22\n            e8 ?? ?? ?? ??      // CALL FUN_140001460\n                               // ECX = 0x22\n                               // FUN_140001460()\n        }\n        // if (iVar2 == 0x42) FUN_140001460(0x22, 0x42);\n        $PseudoCall= {\n            83 f8 42          // CMP EAX, 0x42\n            75 ??             // JNZ LAB_1400FACA3\n            b9 22 00 00 00    // MOV ECX, 0x22\n            e8 ?? ?? ?? ??    // CALL FUN_140001460\n        }\n\n    condition:\n        IsPE and $AllocDecode and $PseudoCall\n}\n\nprivate rule Decode\n{\n    meta:\n        description = \"Detects parameter validation (null-checks), returning -2 and performing a pseudo call RBX(22h)\"\n        author = \"Moritz Thomas\"\n        date = \"2024-07-24\"\n\n    strings:\n        $NullTest = {\n            48 85 c9 // TEST    param_1,param_1\n            74 ??    // JZ      LAB_1400f9d76\n            4d 85 c0 // TEST    param_3,param_3\n            74 ??    // JZ      LAB_1400f9d76\n        }\n        $ReturnMinusTwo = {\n            b8 fe ff ff ff  // MOV  EAX,0xfffffffe\n        }\n        $PseudoCall = {\n            b9 22 00 00 00  // MOV  ECX,0x22\n            ff d3           // CALL RBX\n        }\n\n    condition:\n        IsPE and $NullTest and $ReturnMinusTwo and $PseudoCall\n}\n\nprivate rule PEAnalysis\n{\n    meta:\n        description = \"Detects PE files with very large .text sections (\u003e=90%) that have reasonable entropy (5.0 \u003c e(.text) \u003c 7.0).\"\n        author = \"Moritz Thomas\"\n        date = \"2024-07-24\"\n\n    condition:\n        IsPE and // Check for MZ header\n        for any i in (0..pe.number_of_sections - 1) : (\n            pe.sections[i].name == \".text\"  and\n            pe.sections[i].raw_data_size \u003e (filesize * 0.9) and\n            math.in_range(\n                math.entropy(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size),\n                5.0, 7.0\n            )\n\n        )\n}\n\nprivate rule Shellcode\n{\n    meta:\n        description = \"Detects the ASM and C shellcode stubs\"\n        author = \"Moritz Thomas\"\n        date = \"2024-10-09\"\n\n    strings:\n        $CallNReturn420 = {\n            ff d3                \t// call   *%rbx // ((fptr)(pAddress))();\n            b8 20 04 00 00       \t// mov    $0x420,%eax // return 0x420;\n            48 83 c4 48          \t// add    $0x48,%rsp\n            5b 5e 5f 5d 41 5c 41 5d // pop    %rbx, %rsi, %rdi, %rbp, %r12, %r13\n            c3                      // ret\n        }\n\n        $AsmStub = {\n            eb 24                \t// jmp    shellcodePush\n            59                   \t// pop    rcx\n            48 83 ec 20          \t// sub    rsp,0x20\n            ba 56 ?? ?? ??       \t// mov    edx,CA_PAYLOAD_LEN\n            41 b8 ?? ?? ?? ??    \t// mov    r8d,CA_OUTPUT_LEN\n            49 b9 ?? ?? ?? ?? ?? ?? ?? ?? \t// movabs r9,XOR_KEY\n            e8 3f ?? ?? ??       \t// call   0x1260\n            48 83 c4 20          \t// add    rsp,0x20\n            c3                   \t// ret\n            e8 d7 ff ff ff       \t// call   decoder\n        }\n\n    condition:\n        $CallNReturn420 or $AsmStub\n}\n\nrule CODASMed\n{\n    condition:\n        ExampleUsage or (Decode and PEAnalysis) or Shellcode\n}\n```\n\n#### 1. **IsPE**\n\n- **Description**: Tests whether the file starts with the MZ header.\n- **Detection Method**: This rule checks if the first two bytes of the file are `0x5A4D`, which corresponds to the \"MZ\" header used in PE (Portable Executable) files.\n\n#### 2. **ExampleUsage**\n\n- **Description**: Detects malloc and invoking the decode function, passing in references to the .data section.\n- **Detection Method**:\n  - **$AllocDecode**: This string pattern matches a sequence of instructions that include loading values from memory, performing a malloc call, and subsequent operations involving the `.data` section.\n  - **$PseudoCall**: This string pattern detects a pseudo-class which is never triggered.\n  - **Condition**: This rule is triggered if both the `$AllocDecode` and `$PseudoCall` patterns are found in a file that is identified as a PE file by the `IsPE` rule.\n\n#### 3. **Decode**\n\n- **Description**: Detects parameter validation (null-checks), returning -2 and performing a pseudo call RBX(22h).\n- **Detection Method**:\n  - **$NullTest**: Matches a sequence of instructions that perform null-checks on parameters.\n  - **$ReturnMinusTwo**: Matches an instruction that sets the return value to -2.\n  - **$PseudoCall**: Matches a sequence of instructions that perform a pseudo call to the RBX register with a specific value.\n  - **Condition**: This rule is triggered if all three patterns (`$NullTest`, `$ReturnMinusTwo`, and `$PseudoCall`) are found in a file that is identified as a PE file by the `IsPE` rule.\n\n#### 4. **PEAnalysis**\n\n- **Description**: Detects PE files with very large .text sections (\u003e=90%) that have reasonable entropy (5.0 \u003c e(.text) \u003c 7.0).\n- **Detection Method**:\n  - **Condition**: This rule checks if the `.text` section of a PE file is larger than or equal to 90% of the total file size and has an entropy value between 5.0 and 7.0. The rule iterates over all sections in the PE file and applies the condition to the `.text` section.\n\n#### 5. **Shellcode**\n\n- **Description**: Detects the ASM and C shellcode stubs.\n- **Detection Method**:\n  - **Condition**: This rule checks whether the bytes making up the ASM stub and the invocation of the shellcode and `return 0x420` are present in the file.\n\n#### 6. **CODASMed**\n\n- **Description**: Combines the detection logic of `ExampleUsage`, `Decode`, and `PEAnalysis`.\n- **Detection Method**:\n  - **Condition**: This rule is triggered if either the `ExampleUsage` rule, both the `Decode` and `PEAnalysis` rules or the `Shellcode` rule are satisfied.\n\n### Summary\n\n- **IsPE**: Checks if a file is a PE file by verifying the MZ header.\n- **ExampleUsage**: Detects specific memory allocation and function invocation patterns in a PE file.\n- **Decode**: Detects parameter validation, specific return values, and pseudo calls in a PE file.\n- **PEAnalysis**: Identifies PE files with large `.text` sections and specific entropy ranges.\n- **CODASMed**: Combines the logic of `ExampleUsage`, `Decode`, and `PEAnalysis` to detect complex patterns in PE files.\n\n## Contributing\n\nPlease feel free to contribute. It's as simple as:\n\n- Forking the repository\n- Implement your changes\n- Create a commented pull request\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnvisosecurity%2Fcodasm","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnvisosecurity%2Fcodasm","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnvisosecurity%2Fcodasm/lists"}