{"id":21601549,"url":"https://github.com/vmware-samples/process-snapshots-toolkit","last_synced_at":"2025-05-06T00:22:40.888Z","repository":{"id":43667457,"uuid":"369331138","full_name":"vmware-samples/process-snapshots-toolkit","owner":"vmware-samples","description":"Anti-Malware Sandbox Process Snapshots Toolkit is a toolkit to work with Sandbox Process Snapshots generated during dynamic analysis.","archived":false,"fork":false,"pushed_at":"2023-07-12T21:13:00.000Z","size":6277,"stargazers_count":0,"open_issues_count":1,"forks_count":4,"subscribers_count":4,"default_branch":"main","last_synced_at":"2025-03-31T01:05:13.919Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/vmware-samples.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE.txt","code_of_conduct":"CODE-OF-CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-05-20T20:32:02.000Z","updated_at":"2022-02-25T00:46:28.000Z","dependencies_parsed_at":"2025-01-24T18:37:58.215Z","dependency_job_id":null,"html_url":"https://github.com/vmware-samples/process-snapshots-toolkit","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vmware-samples%2Fprocess-snapshots-toolkit","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vmware-samples%2Fprocess-snapshots-toolkit/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vmware-samples%2Fprocess-snapshots-toolkit/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vmware-samples%2Fprocess-snapshots-toolkit/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/vmware-samples","download_url":"https://codeload.github.com/vmware-samples/process-snapshots-toolkit/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252596799,"owners_count":21773932,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-24T19:09:51.964Z","updated_at":"2025-05-06T00:22:40.870Z","avatar_url":"https://github.com/vmware-samples.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Process Snapshot Toolkit\nThe toolkit to work with Process Snapshots generated during dynamic analysis by VMware Anti-Malware Sandbox.\n\n## Overview\nIf you are a NSX NDR (Lastline Defender) customer or a researcher using a NSX NDR (Lastline Defender) account to perform a dynamic analysis of files then one of the useful metadata type produced as a result of sandbox analysis you can access is Sandbox Process Snapshots.\nThe Sandbox Process Snapshots are available for most analysis subjects based on executable files in Sandbox Dynamic analysis report.\nThe Sandbox Process Snapshots for each subject are packed into a specifically formatted snapshot file. \nThe snapshot file contains at least one (up to ten) snapshot(s) of the untrusted memory space of the process taken at certain point during dynamic execution in sandbox.\n\nIt is designed to provide a in-depth visibility into malicious code, including code which is packed/hidden in the original executable and only gets unpacked during execution.\n\nFor more details how to download Process Snapshot, please refer to the official [documentation](https://analysis.lastline.com/analysis/api-docs/html/analysis_results/format_ll_int_win.html#windows-analysis-process-dumps-pe-snapshots)\n\n## Installation\nTo install our package, please run \n```buildoutcfg\npip2 install process_snapshot_toolkit\n```\n\nAlternatively, this project can be installed via pip directly from a git clone of this repository\n```\ngit clone \u003crepo-url\u003e\ncd process-snapshot-toolkit\npip2 install .\n```\n\n## Development\nIf changes need to be made to this project, then it can be installed in a manor where it will be\nusable directly from a local git repo copy.\n```\n# Optionally, use a virtualenv to install dependencies into, so as to not mess with system-level or\n# user-level dependencies\npython2 -m virtualenv venv\n. venv/bin/activate\n\n# Install dependencies needed to run the project.\npip2 install -e .\n\n# Run tests\npython2 setup.py test\n```\n\n## Analysis\n\n#### Prerequisites\nThis section assumes that you've downloaded the latest Ghidra from https://ghidra-sre.org/,\nunpacked it to a chosen directory, and are able to run Ghidra.\n\n### Ghidra Code Browser\nProcess snapshots can be loaded into a code browser session of an exe file that the snapshot was\ntaken for.\n\n#### Configuration\nInside of the Ghidra Code Browser session's Script Manager (see \"Window\" tab), click the\n\"Manage Script Directories\" button (looks like a bulletpoint list). Inside the \"Bundle Manager\"\npopup, click the \"Display file chooser to add bundles list\" button (looks like a green \"+\"). Then\nselect the subdirectory `ghidra/scripts` from inside wherever the process snapshot toolkit has been\ninstalled. If you used `pip` to install process_snapshot_toolkit inside of ubuntu, then this\ndirectory will be available via\n`~/.local/lib/python2.7/site-packages/process_snapshot_toolkit/ghidra/scripts/`\n\n#### Running\nOnce the directory containing the script has been added to the Code Browser's script directories,\nthe script `process_snapshot_loader.py` will be listed inside of the Script Manager.\nDouble-click this script and follow the dialog to load a snapshot file.\n\n### Ghidra Headless\nExe files and their corresponding process snapshots can be analyzed by Ghidra in a headless fashion\nto extract decompiled code, PCODE, and function call relationships between functions.\n\n#### Configuration\n\nUsing conf.ini.template create a configuration file\n```\n[ghidra]\nghidra_dir=\u003cpath to location where Ghidra was unpacked\u003e\n```\n\n#### Running\nTo decompile using the original executable file only:\n```\nghidra_analyze.py -c conf.ini -o \u003coutput_dir\u003e --exe-file \u003coriginal_executable\u003e\n```\n\nTo decompile using the original executable file and the Lastline Process Snapshot:\n```\nghidra_analyze.py -c conf.ini -o \u003coutput_dir\u003e --exe-file \u003coriginal_executable\u003e --snapshot-file \u003clastline_process_snapshot\u003e\n```\n\n#### Generated files\nFor each Lastline Process Snapshot, the script will generate a list of files:\n\n**\u003coriginal_executable_name\u003e.c** - decompiled C-like code of executable.\n\n**\u003coriginal_executable_name\u003e.called** - a list of called functions for each function found in the executable.\n\n**\u003coriginal_executable_name\u003e.pcode** - PCODE of each function found in the executable. Mode details about PCODE format [here](https://ghidra.re/courses/languages/html/pcoderef.html)\n\nBesides the original executable file, the output files will be generated for each snapshot found in Lastline Process Snapshot file. \n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvmware-samples%2Fprocess-snapshots-toolkit","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fvmware-samples%2Fprocess-snapshots-toolkit","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvmware-samples%2Fprocess-snapshots-toolkit/lists"}