Chameleon, a framework for testing the anti-evasion capabilities of PDF malware scanners, runs in four independent steps as shown in the figure below. This repository contains the code base for steps Generate and Assess.
Moreover, the set of 1395 malicious and evasive PDF files that is used in our study is available. The set can be used to benchmark a malware scanner in its anti-evasion abilities. Email Saeed Ehteshamifar ([email protected]) if you're interested in obtaining the set. For more details about the framework refer to our paper.
Prerequisites
The following packages are needed to use the framework.
Linux/macOS packages:
- mysql-server (>= 10.1.26)
- metasploit-framework (>= 4.16.7)
- ruby (>= 2.3.3)
- pip (>= 9.0.1)
- bundler (>= 1.15.1)
Python packages (pip install
):
- PyMySQL (>= 0.7.11)
- pytz (>= 2018.9)
- Edit
Gemfile
in Metasploit's installation directory (probably/usr/share/metasploit-framework
or/opt/metasploit-framework/embedded/framework
) and add an entry for Origami-PDF and Chunky PNG:
gem 'origami'
gem 'chunky_png'
- Run Bundler in the same directory to install the newly required Gem:
metasploit-framework# bundle
- Clone this repository, go its directory, and copy the content of
metasploit_modules
directory tomsf4
:
Chameleon# cp -r ./src/metasploit_modules/* ~/.msf4
- In Chameleon
src
directory, rungenerator.py
to generate the test suite.
src# ./generator.py
Edit testcases.py
to control which payloads, exploits, and evasions are used in the generation process.
- Scan a test suite with an analyzer and write the results to the database with the scheme defined in
database-scheme.txt
. - Implement the functions in
analyzers_list.py
according to the comments above the file and the analyzers used in the previous step. - Run
results_parser.py
:
src# ./results_parser.py