csvl · Nyrkhan · Jun 1, 2025
diff --git a/sema_toolchain/database/Binaries/malware-linux/GonnaCry.zip b/sema_toolchain/database/Binaries/malware-linux/GonnaCry.zip
diff --git a/sema_toolchain/database/Binaries/malware-win/wannacry.zip b/sema_toolchain/database/Binaries/malware-win/wannacry.zip
diff --git a/sema_toolchain/sema_scdg/Dockerfile b/sema_toolchain/sema_scdg/Dockerfile
@@ -119,9 +119,9 @@ RUN pip install -r /sema-scdg/requirements.txt --default-timeout=100
 
 # # Ensure the pypy binary is available in the PATH
 # ENV PATH="/opt/pypy3.9-v7.3.16-linux64/bin:$PATH"
-RUN pyenv install pypy3.9-7.3.16; pyenv local pypy3.9-7.3.16
-COPY ./sema_scdg/requirements_pypy.txt /sema-scdg/requirements_pypy.txt
-RUN pip install -r /sema-scdg/requirements_pypy.txt --default-timeout=100 
+#RUN pyenv install pypy3.9-7.3.16; pyenv local pypy3.9-7.3.16
+#COPY ./sema_scdg/requirements_pypy.txt /sema-scdg/requirements_pypy.txt
+#RUN pip install -r /sema-scdg/requirements_pypy.txt --default-timeout=100 
 
 
 # TODO

diff --git a/sema_toolchain/sema_scdg/application/SemaSCDG.py b/sema_toolchain/sema_scdg/application/SemaSCDG.py
@@ -121,7 +121,10 @@ def __init__(self):
         self.scdg_graph = []
         self.new = {}
         self.nameFileShort = ""
-        self.content = b""
+        self.content = ""
+
+        with open_file(self.binary_path, "rb") as f:
+            self.content = f.read()
 
         self.plugins = PluginManager()
         self.packing_manager = self.plugins.get_plugin_packing()
@@ -159,6 +162,7 @@ def get_config_param(self, config):
         self.track_command = config['Plugins_to_load'].getboolean('plugin_track_command')
         self.ioc_report = config['Plugins_to_load'].getboolean('plugin_ioc_report')
         self.hooks_enable = config['Plugins_to_load'].getboolean('plugin_hooks')
+        self.call_replace = config['Plugins_to_load'].getboolean('plugin_call_replace')
         self.sim_file = config['SCDG_arg'].getboolean('sim_file')
         self.count_block_enable = config['SCDG_arg'].getboolean('count_block_enable')
         self.plugin_enable = config['SCDG_arg'].getboolean('plugin_enable')
@@ -328,10 +332,10 @@ def get_entry_addr(self, proj):
             addr = self.config["SCDG_arg"]["entry_addr"]
             if addr != "None":
                 #Convert string into hexadecimal
-                addr = hex(int(addr, 16))
+                addr = int(addr, 16)
+                self.log.info(f"Entry_state address = {str(hex(addr))}")
             else:
                 addr = None
-        self.log.info(f"Entry_state address = {str(addr)}")
         return addr
 
     def get_binary_args(self):
@@ -538,9 +542,11 @@ def collect_data(self, exp_dir, proj, state, simgr, execution_time):
             self.data_manager.get_plugin_data(state, simgr, to_store=self.store_data)
 
         if self.track_command:
-            self.plugins.enable_plugin_commands(self, simgr, self.scdg_graph, exp_dir)
+            self.plugins.enable_plugin_commands(simgr, self.scdg_graph, exp_dir)
         if self.ioc_report:
-            self.plugins.enable_plugin_ioc(self, self.scdg_graph, exp_dir)
+            self.plugins.enable_plugin_ioc(self.scdg_graph, exp_dir)
+        if self.call_replace:
+            self.plugins.enable_plugin_call_replace(self.scdg_graph)
 
     def run(self, exp_dir):
         """

diff --git a/sema_toolchain/sema_scdg/application/helper/SyscallToSCDG.py b/sema_toolchain/sema_scdg/application/helper/SyscallToSCDG.py
@@ -503,7 +503,7 @@ def add_SysCall(self, syscall, n_args, state):
         else:
             if len(self.scdg[id][-1]) != 0:
                 # if same address and different name, we have an inline call (call to another simprocedure used during the hook), discard !
-                if (self.scdg[id][-1]["addr"] == dic["addr"] and self.scdg[id][-1]["name"] != dic["name"]):
+                if (self.scdg[id][-1]["addr"] == dic["addr"] and self.scdg[id][-1]["name"] != dic["name"] and dic["addr_func"] == self.scdg[id][-1]["addr_func"]):
                     return
 
                 self.scdg[id].append(dic)

diff --git a/sema_toolchain/sema_scdg/application/plugin/PluginCallReplace.py b/sema_toolchain/sema_scdg/application/plugin/PluginCallReplace.py
@@ -0,0 +1,80 @@
+import os
+import sys
+import random
+
+
+class PluginCallReplace:
+
+
+    def __init__(self):
+        pass
+
+
+    def call_replace(self,scdg):
+        fields = ['name', 'args', 'addr_func', 'addr', 'ret']
+        # call that need to be replaced, add info only on what differ from the replaced call
+        to_replace = {
+            "is_path": [
+                {'name': 'opendir'},
+                {'name': 'closedir', 'ret': 0x0}
+            ],
+            "WannacryHook_Str":[
+                {'name': "GetComputerNameW", 'ret': "retval_GetComputerNameW_0_32", 'args':["replace_2147417141",399]},
+                {'name': "wcslen", 'ret': 12, 'args': ["replace_2147417141"]},
+                {'name': "wcslen", 'ret': 12, 'args': ["replace_2147417141"]},
+                {'name': "srand",'ret': 0x0, 'args': []},
+                {'name': "rand", 'ret': 0, 'args': []},
+                {'name': "rand", 'ret': 0, 'args': []},
+            ],
+            "WannacryHook2": [
+                {'name': "InitializeCriticalSection", 'args':["replace_2147415672"],'ret': 0x0},
+                {'name': "InitializeCriticalSection", 'args': ["replace_2147415632"],'ret': 0x0}
+            ],
+            "WannacryHook3": [
+                {'name': "DeleteCriticalSection", 'args':["replace_2147415672"],'ret': 0x0},
+                {'name': "DeleteCriticalSection", 'args':["replace_2147415632"],'ret': 0x0},
+            ],
+            "WannacryHook4": [
+                {'name': "strlen", 'args': ["WNcry@2ol7"], "ret": 10},
+                {'name': "??2@YAPAXI@Z", 'args': [11], 'ret': "replace_3221324456"},
+                {'name': "strcpy", 'args': ["replace_3221324456","WNcry@2ol7"], 'ret': 0x0},
+            ],
+            "WannacryHook_add_to_file_list":[
+                {'name': "operator_new", 'args':[0x4ec]}
+            ],
+            "WannacryHook_allocate_24":[
+                {'name': "operator_new", 'args': [0x18]}
+            ],
+            "WannacryHook_cleanup":[
+                {'name': "operator_delete"}
+            ],
+            "WannacryHook_cls_100071f8":[
+                {'name': "InitializeCriticalSection",'ret': 0x0},
+                {'name': "InitializeCriticalSection",'ret': 0x0},
+                {'name': "operator_new", 'args': [0x18]}
+            ],
+            "WannacryHook_free_contexts":[
+                {'name': "CryptReleaseContext", 'ret': 0x0},
+                {'name': "cryptDestroyKey", 'ret': 0x0},
+                {'name': "GlobalFree", 'ret': 0x0},
+                {'name': "WaitForSingleObject", 'ret': 0x0},
+                {'name': "DeleteCriticalSection", 'ret': 0x0},
+                {'name': "wcslen"},
+            ]
+
+        }
+        for i in scdg:
+            for call in i:
+                if call["name"] in to_replace.keys():
+                    #print("-------------------------")
+                    #print(call)
+                    for to_add in to_replace[call["name"]]:
+                        new_call = {
+                            field: to_add[field] if field in to_add else call[field]
+                            for field in fields
+                        }
+                        new_call["addr_func"] = "replace_" + new_call["addr_func"]
+                        new_call["addr"] = "replace_" + new_call["addr"]
+                        i.append(new_call)
+                        #print(new_call)
+                    i.remove(call)