README
¶
Molly
=====
Molly (after Molly Hooper in Sherlock Holmes, not the drug) is an automated file analysis and extraction tool. It can search files for user-defined patterns and perform various actions when a match is found.
Molly comes with a number of operators for analyzing and files in addition to a simple API for adding custom ones.
Molly was initially developed in the SECONDS (Secure Connected Devices) project for binary extraction from foreign firmware images.
Installation
------------
Binaries are found on the `download page <https://bitbucket.org/vahidi/molly/downloads/>`_, but might be slightly out of date.
To build from source::
sudo apt install golang build-essential git
git clone https://bitbucket.org/vahidi/molly
cd molly
make && make test && make run
Rules
-----
Molly uses a rule database to store known patterns. The rules have a simple and familiar syntax, for example the following will recognize ZIP files)::
rule ZIP (bigendian = false, tag = "archive") {
var header = String(0, 4); /* extract 4-byte string at position 0 */
var csize = Long(18); /* extract 32-bit at position 18 */
var usize = Long(22);
if header == { 'P', 'K', 0x05, 0x06} || header == {'P', 'K', 0x03, 0x04};
extract("zip", ""); /* apply the ZIP extractor on this file */
}
For more detailed information refer to the `manual <manual.pdf>`_.
Documentation
¶
Overview ¶
Package molly is the root for the library API in molly
Index ¶
- func ExtractReport(m *types.Molly) *types.Report
- func LoadRules(m *types.Molly, files ...string) error
- func LoadRulesFromText(m *types.Molly, text string) error
- func New() *types.Molly
- func ScanData(m *types.Molly, data []byte) error
- func ScanFiles(m *types.Molly, files ...string) error
- func Version() (int, int, int)
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func ExtractReport ¶
ExtractReport generates a report
func LoadRulesFromText ¶
LoadRulesFromText reads rules from a string
Types ¶
This section is empty.
Source Files
Directories
¶
| Path | Synopsis |
|---|---|
|
cmd
|
|
|
Package exp contains expression types and the logic to evaluate them
|
Package exp contains expression types and the logic to evaluate them |
|
prim
Package prim contains primitive types used in the epxressions
|
Package prim contains primitive types used in the epxressions |
|
package operators contains actions functions that can be called from rules.
|
package operators contains actions functions that can be called from rules. |
|
analyzers
Package analyzers contains different file analyzers.
|
Package analyzers contains different file analyzers. |
|
extractors
Package extractors contains file extractors for various formats
|
Package extractors contains file extractors for various formats |
|
Package report provides helper functions to extract data from the generated reports
|
Package report provides helper functions to extract data from the generated reports |
|
Package scan contains scanner/parser code for rules and scanner code for the binary files
|
Package scan contains scanner/parser code for rules and scanner code for the binary files |
|
Package types contain main types used in the API + some minimal logic.
|
Package types contain main types used in the API + some minimal logic. |
|
Package util contains various utility functions used by other packages
|
Package util contains various utility functions used by other packages |
Click to show internal directories.
Click to hide internal directories.