{"id":28416817,"url":"https://github.com/withsecurelabs/deject","last_synced_at":"2025-06-25T02:31:59.696Z","repository":{"id":210043702,"uuid":"712902322","full_name":"WithSecureLabs/deject","owner":"WithSecureLabs","description":"Memory dump and Sample analysis tool","archived":false,"fork":false,"pushed_at":"2025-03-17T12:52:53.000Z","size":1347,"stargazers_count":12,"open_issues_count":0,"forks_count":1,"subscribers_count":4,"default_branch":"main","last_synced_at":"2025-06-04T07:28:02.080Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"https://labs.withsecure.com/tools/deject--malware-reverse-engineering-toolbox","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/WithSecureLabs.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-11-01T12:48:27.000Z","updated_at":"2025-03-24T21:35:56.000Z","dependencies_parsed_at":"2024-02-14T16:45:59.253Z","dependency_job_id":"538b380a-acf3-495b-91ac-9544f9383b9e","html_url":"https://github.com/WithSecureLabs/deject","commit_stats":null,"previous_names":["withsecurelabs/deject"],"tags_count":5,"template":false,"template_full_name":null,"purl":"pkg:github/WithSecureLabs/deject","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/WithSecureLabs%2Fdeject","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/WithSecureLabs%2Fdeject/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/WithSecureLabs%2Fdeject/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/WithSecureLabs%2Fdeject/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/WithSecureLabs","download_url":"https://codeload.github.com/WithSecureLabs/deject/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/WithSecureLabs%2Fdeject/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":261791017,"owners_count":23210081,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-06-04T00:43:55.383Z","updated_at":"2025-06-25T02:31:59.687Z","avatar_url":"https://github.com/WithSecureLabs.png","language":"Python","readme":"# DEJECT - Memory dump and Sample analysis tool\n\n---\n\n## Dependencies\nThis project has the following dependencies that cannot be installed via Python:\n* Poetry - Dependency management for Python (https://python-poetry.org/)\n* Radare2/Rizin - Reverse Engineering Framework (https://rada.re/ / https://rizin.re/)\n* libfuzzy-dev\n\nRequired for M2Crypto:\n* libssl-dev\n* swig\n* python3-dev\n* gcc\n\nFor the Zeek plugin:\n* [Zeek](https://github.com/zeek/zeek)\n\nFor the Bulk Extractor plugin:\n* [Bulk Extractor](https://github.com/simsong/bulk_extractor)\n\n**NB**: Support for Rizin is still new and has not been fully tested.\n\n## Installation\n\nClone the repository with GIT using the following command:\n\n`git clone --recurse-submodules https://github.com/WithSecureLabs/deject.git`\n\nIn the deject folder run:\n\n`poetry install`\n\nThis should install the Python dependencies and create a new virtual environment for Deject.\nRun Deject by typing the following command in the Deject directory:\n`poetry run deject`\n\n## Building with Nix\n\nThis project contains `flake.nix` file, which means that following outputs can be produced:\n```\n├───devShells\n│   └───x86_64-linux\n│       └───default: development environment 'nix-shell'\n└───packages\n    └───x86_64-linux\n        ├───default: package 'python3.11-deject-0.4.0'\n        └───deject: package 'python3.11-deject-0.4.0'\n```\n\n### devShell\n\n`devShell` is, as the name suggest, dev-friendly environment, with all the required dependencies, to build and continue development of this project.\nThis also creates a 'temporary' shell, with the built package provided, added to that given devShell PATH.\n\nIn order to do that, run the following in Deject's root dir:\n\n`nix develop`\n\n\u003e no other information is required, as there's only one devShell associated with this flake\n\n### binary output\n\nIf you want to build a binary of this project, using Nix, run the following inside Deject's root dir:\n\n`nix build`\n\n\u003e no other information is required in this case neither, as both outputs for 'packages' are identical, as seen in the output of `nix flake show` above\n\nThis will create a directory `result`, and the deject binary will be located under `./result/bin/deject`.\n\n## Tests\nTo run the tests, to check that Deject is working correct, use the following command in the Deject directory:\n\n`poetry run pytest`\n\n## M2Crypto Install\nIf the above command fails on the M2Crypto Python package, install the following dependancies:\n`libssl-dev swig python3-dev gcc`\n(these are the package names for Debian, if using RedHat names might be different.)\n\n## Zeek Install\nInstall Zeek from via a package manager (https://docs.zeek.org/en/master/install.html) or from source (https://github.com/zeek/zeek).\nRun `ln -s /path/to/zeek bin/zeek` to link the Zeek binary in the `bin` directory for the Zeek plugin to find it.\nThis is only needed if you want to run the Zeek plugin to analyse pcap files.\n\n## Basic Usage\n\nTo list the available plugins: `poetry run deject plugins`\n\nIn the deject folder run `poetry run deject run \u003cpath to memory dump\u003e`\n\nTo run only a single plugin use the `--include \u003cplugin name\u003e` option.\n\nSome plugins require an argument, place this after the memory dump, such as:\n\n`--include pe_hashes \u003cpath to memory dump\u003e \u003cbase_addr\u003e`\n\nTo provide an argument starting with a `-` or more than one argument to the application, use quotes:\n* `--include cobaltstrike_check \u003cpath to memory dump\u003e \" -J \"`\n* `--include pe_sections \u003cpath to exe\u003e \"carve .text\"`\n\n## Dockerfile\nTo provide a unified environment a Dockerfile is provided.\n\nBuildx is the suggested client, install buildx from https://docs.docker.com/build/install-buildx/ (documentation: https://github.com/docker/buildx#linux-packages). (On Debian run `apt-get install docker-buildx-plugin`)\nRunning `docker buildx install` makes Buildx the default build client (this only needs to be done once.)\n\n```\ndocker buildx install\ndocker build --tag deject .\ncd dir/with/malware\ndocker run -v \"$PWD\":/work --tty deject --include pdf_object /work/\u003cfile\u003e \u003cobject\u003e\n```\n\n## Malware Samples\nIf you want to test Deject but don't have any malware, you can download malware samples from:\nhttps://github.com/jstrosch/malware-samples\nBeware that these are live samples, use at your own risk.\n\n## Generating Documentation\nDocumentation can be generated using Doxygen (https://github.com/doxygen/doxygen) by using the following command:\n```\ndoxygen deject-docs\n```\nThis will output HTML pages to the `docs/` directory.\n\n## Settings\n\n### VTKEY\nFor plugins that require a VirusTotal API key, set a `VT_KEY` environment variable:\n```\nset VT_KEY=\u003cvtapi\u003e\n```\n\n### Yara Rules\nThe default Yara rule repository is located at `scripts/yara-rules`. To use a different set of Yara rules, set the `RULES` environment variable:\n```\nset RULES=\u003cpath/to/yara/rules\u003e\n```\n\n### Zeek\nThe default location for Zeek is the `bin/` directory. This can be changed using the `ZEEK_PATH` environment variable:\n```\nset ZEEK_PATH=\u003c/path/to/zeek\u003e`\n```\nYou will need to install Zeek separately.\n\n### Bulk Extractor\nThe default location for Bulk Extractor is the `bin/` directory. This can be changed using the `BULK_PATH` environment variable:\n```\nset BULK_PATH=\u003c/path/to/bulk_extractor\u003e\n```\nYou will need to install Bulk Extractor separately.\n\n## Useful Links\n\n* https://www.forrest-orr.net/post/masking-malicious-memory-artifacts-part-ii-insights-from-moneta\n* https://github.com/jstrosch/malware-samples\n\n## Acknowledgements\n* [Didier StevenS](https://github.com/DidierStevens/DidierStevensSuite) (1768.py and pdftool/pdfid/pdf-parser)\n* [Chepy](https://github.com/securisec/chepy)\n* [mwcfg-modules](https://github.com/c3rb3ru5d3d53c/mwcfg-modules/tree/master)\n* [Malduck](https://github.com/CERT-Polska/malduck)\n* [Radare2](https://github.com/radareorg/radare2)/[Rizin](https://github.com/rizinorg/rizin)\n* [Yara](https://github.com/virustotal/yara)\n* [KaitaiStruct](https://github.com/kaitai-io/kaitai_struct)\n* [Protections Artifacts](https://github.com/elastic/protections-artifacts) (Elastic)\n* [pefile](https://github.com/erocarrera/pefile)\n* [dc3-mwcp](https://github.com/dod-cyber-crime-center/DC3-MWCP)\n* [minidump](https://github.com/skelsec/minidump/)\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwithsecurelabs%2Fdeject","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fwithsecurelabs%2Fdeject","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwithsecurelabs%2Fdeject/lists"}