ropoly

README

Current Status

polyverse/ropoly

Build Instructions for Ubuntu with Docker

From the project directory, run the following: $ docker run --rm -it -v $PWD:/go/src/github.com/polyverse/ropoly golang bash $ cd /go/src/github.com/polyverse/ropoly $ go build

Run Instructions for Docker

The container must be run with --cap-add=SYS_PTRACE --security-opt seccomp=unconfined --privileged Port 8008 must be mapped to a port on the host with -p in order to view output.

Build Instructions for Alpine with Docker

docker run --rm -it -v $PWD:/go/src/github.com/polyverse/ropoly golang:1.8-alpine /bin/ash cd /go/src/github.com/polyverse/ropoly apk add --no-cache make build-base go build

Command Line Options

server

Runs as a server exposing the API described under "Ropoly API Endpoints." Use this option, "scan", or both.

scan

Runs as a daemon that repeatedly scans the server's file system and the libraries of its running processes to check for Polyverse signatures. Use this option, "server", or both.

log

Use only with "scan". Logs the results of scanning for signatures.

prometheus

Use only with "scan". Not yet implemented, and doesn't do anything useful.

ROPoly API Endpoints

/api/v1/pids

Return list of all visible process ids and information about each process.

/api/v1/pid/<pid>/libraries[?signatures=<[true]>]

Return list of loaded libraries for the given pid. If pid is 0, pid refers to the ROPoly process itself. If signature is true, list whether or not each library has a Polyverse signature.

/api/v1/pid/<pid>/memory[?mode=<regions|search|disasm|gadget|fingerprint>][&start=start][&end=end][&instructions=instructions][&octets=octets][&limit=limit][?access=<[R][W][X][F]|None>][?<string|regexp>=target]

Return information about the memory of the given pid according to the option provided in mode.

regions

Return list of memory regions of the given pid subject to at least access permissions (default R). Any combination of R, W, X and F (Windows only) is permitted as well as the token None which will return all regions. (Case is not significant.)

search

Search executable memory of the given pid between start and end and return up to limit instances. If string is used, target is the literal string. If regexp is used, target is the regular expression.

disasm

Disassemble executable memory of the given pid between start and end and return up to limit instructions.

gadget

Search executable memory of the given pid between start and end and return up to limit gadgets size limited to instructions and octets.

/api/v1/files/<path>

View information about the files and directories in the given directory on the server according to the option provided in mode.

directory

View the contents of the given directory. Fails if given a file.

signature

Looks for the Polyverse signature, "-PV-", in the given file, and returns based on whether or not it is found. Fails if given a directory.

disasm

Disassembles the .text section of the given ELF binary. Fails if given a directory, or if the given file is not an ELF binary.

gadget

Search executable memory of the given ELF binary and return up to limit gadgets size limited to instructions and octets.