Hugging Face's logo

Spaces:
zosiade
/
malware-deobfuscator
Sleeping

App Files Community
malware-deobfuscator
File size: 6,694 Bytes
5bd5b9f
3c52718
 
 
 
5bd5b9f
3c52718
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
import streamlit as st
import os
from dotenv import load_dotenv
import requests
import json

### Load environment variables
load_dotenv()

### Page configuration
st.set_page_config(
    page_title="🐞T&S Malware Deobfuscator",
    page_icon="πŸ”",
    layout="wide"
)

### Title and description
st.title("🐞 AI-Powered Malware Deobfuscator")
st.markdown("""
This tool uses AI to analyze and deobfuscate potentially malicious code.
Upload obfuscated code and get an understanding of its behaviour.
""")

### Sidebar for configuration
st.sidebar.header("βš™οΈ Configuration")
ai_provider = st.sidebar.radio(
    "Select AI Provider:",
    ["GitHub Models", "Azure OpenAI"]
)

### Function to call GitHub Models
def analyze_with_github_models(code, task_type):
    """
    Uses GitHub Models API to analyze code
    """
    token = os.getenv("GITHUB_TOKEN")
    
    if not token:
        return "❌ Error: GitHub token not found. Please set GITHUB_TOKEN in your environment."
    
    ### Prepare the prompt based on task
    if task_type == "deobfuscate":
        prompt = f"""You are a malware analyst. Analyze this obfuscated code and provide:
1. A deobfuscated (cleaned up, readable) version
2. Explanation of what it does
3. Potential security risks
4. If the code is too long to process, please do the following: 
 - review the code in chunks that can be processed
 - analyse strings in the top part of the code when variables are defined 
 - if this all fails, summarize the code's behaviour instead 

Do not produce an error if the obfuscated code is too long to process. Instead, follow the instructions above.

Provide clear, structured output and make comparisons with known malware patterns where applicable.

Code:
{code}"""
    elif task_type == "explain":
        prompt = f"""Explain what this code does in simple terms. Identify any malicious behavior:

Code:
{code}"""
    else:  ### yara
        prompt = f"""Generate a YARA rule to detect code similar to this:

Code:
{code}"""
    
    ### API endpoint for GitHub Models (using GPT-4o)
    url = "https://models.inference.ai.azure.com/chat/completions"
    
    headers = {
        "Content-Type": "application/json",
        "Authorization": f"Bearer {token}"
    }
    
    data = {
        "model": "gpt-4o",
        "messages": [
            {"role": "system", "content": "You are an expert malware analyst and security researcher."},
            {"role": "user", "content": prompt}
        ],
        "temperature": 0.3,
        "max_tokens": 2000
    }
    
    try:
        response = requests.post(url, headers=headers, json=data, timeout=30)
        response.raise_for_status()
        result = response.json()
        return result['choices'][0]['message']['content']
    except Exception as e:
        return f"❌ Error: {str(e)}\n\nResponse: {response.text if 'response' in locals() else 'No response'}"

### Function to call Azure OpenAI
def analyze_with_azure(code, task_type):
    """
    Uses Azure OpenAI to analyze code
    """
    endpoint = os.getenv("AZURE_OPENAI_ENDPOINT")
    api_key = os.getenv("AZURE_OPENAI_KEY")
    deployment = os.getenv("AZURE_OPENAI_DEPLOYMENT")
    
    if not all([endpoint, api_key, deployment]):
        return "❌ Error: Azure OpenAI credentials not configured."
    
    ### Prepare the prompt
    if task_type == "deobfuscate":
        prompt = f"""Analyze this obfuscated malicious code and provide:
1. Deobfuscated version
2. Explanation of functionality
3. Security threats

Code:
{code}"""
    elif task_type == "explain":
        prompt = f"""Explain this code's behavior and identify threats:\n\n{code}"""
    else:
        prompt = f"""Generate a YARA rule for this code:\n\n{code}"""
    
    url = f"{endpoint}/openai/deployments/{deployment}/chat/completions?api-version=2024-02-15-preview"
    
    headers = {
        "Content-Type": "application/json",
        "api-key": api_key
    }
    
    data = {
        "messages": [
            {"role": "system", "content": "You are an expert malware analyst."},
            {"role": "user", "content": prompt}
        ],
        "temperature": 0.3,
        "max_tokens": 2000
    }
    
    try:
        response = requests.post(url, headers=headers, json=data, timeout=30)
        response.raise_for_status()
        result = response.json()
        return result['choices'][0]['message']['content']
    except Exception as e:
        return f"❌ Error: {str(e)}"

### Main interface
col1, col2 = st.columns(2)

with col1:
    st.header("πŸ“₯ Input")
    
    ### Input method selection
    input_method = st.radio("Choose input method:", ["Paste Code", "Upload File"])
    
    if input_method == "Paste Code":
        code_input = st.text_area(
            "Paste obfuscated code here:",
            height=300,
            placeholder="eval(base64_decode('...'))"
        )
    else:
        uploaded_file = st.file_uploader("Upload a file", type=['txt', 'js', 'py', 'ps1'])
        if uploaded_file:
            code_input = uploaded_file.read().decode('utf-8')
            st.text_area("File contents:", code_input, height=300)
        else:
            code_input = ""
    
    ### Analysis type
    analysis_type = st.selectbox(
        "Select analysis type:",
        ["Deobfuscate & Explain", "Quick Explanation", "Generate YARA Rule"]
    )
    
    ### Analyze button
    analyze_button = st.button("πŸ” Analyze Code", type="primary")

with col2:
    st.header("πŸ“€ Results")
    
    if analyze_button:
        if not code_input:
            st.warning("⚠️ Please provide some code to analyze.")
        else:
            with st.spinner("πŸ€– Analyzing code..."):
                ### Map analysis type to task type
                task_map = {
                    "Deobfuscate & Explain": "deobfuscate",
                    "Quick Explanation": "explain",
                    "Generate YARA Rule": "yara"
                }
                task_type = task_map[analysis_type]
                
                ### Call appropriate API
                if ai_provider == "GitHub Models":
                    result = analyze_with_github_models(code_input, task_type)
                else:
                    result = analyze_with_azure(code_input, task_type)
                
                ### Display results
                st.markdown("#### Analysis Results")
                st.markdown(result)
                
                ### Download button
                st.download_button(
                    label="πŸ“₯ Download Analysis",
                    data=result,
                    file_name="malware_analysis.txt",
                    mime="text/plain"
                )