Airgorah
is a WiFi auditing software that can discover the clients connected to an access point, perform deauthentication attacks against specific clients or all the clients connected to it, capture WPA handshakes, and crack the password of the access point.
It is written in Rust and uses GTK4 for the graphical part. The software is mainly based on aircrack-ng tools suite.
β Don't forget to put a star if you like the project!
This software only works on linux
and requires root
privileges to run.
You will also need a wireless network card that supports monitor mode
and packet injection
.
The installation instructions are available here.
The documentation about the usage of the application is available here.
This project is released under MIT license.
If you have any question about the usage of the application, do not hesitate to open a discussion
If you want to report a bug or provide a feature, do not hesitate to open an issue or submit a pull request
A cutting-edge utility designed exclusively for web security aficionados, penetration testers, and system administrators. WebSecProbe is your advanced toolkit for conducting intricate web security assessments with precision and depth. This robust tool streamlines the intricate process of scrutinizing web servers and applications, allowing you to delve into the technical nuances of web security and fortify your digital assets effectively.
WebSecProbe is designed to perform a series of HTTP requests to a target URL with various payloads in order to test for potential security vulnerabilities or misconfigurations. Here's a brief overview of what the code does:
Does This Tool Bypass 403 ?
It doesn't directly attempt to bypass a 403 Forbidden status code. The code's purpose is more about testing the behavior of the server when different requests are made, including requests with various payloads, headers, and URL variations. While some of the payloads and headers in the code might be used in certain scenarios to test for potential security misconfigurations or weaknesses, it doesn't guarantee that it will bypass a 403 Forbidden status code.
In summary, this code is a tool for exploring and analyzing a web server's responses to different requests, but whether or not it can bypass a 403 Forbidden status code depends on the specific configuration and security measures implemented by the target server.
Β
pip install WebSecProbe
WebSecProbe <URL> <Path>
Example:
WebSecProbe https://example.com admin-login
from WebSecProbe.main import WebSecProbe
if __name__ == "__main__":
url = 'https://example.com' # Replace with your target URL
path = 'admin-login' # Replace with your desired path
probe = WebSecProbe(url, path)
probe.run()
The project consists of repositories:
It's only for education purposes.
Avoid using it on the production Active Directory (AD) domain.
Neither contributor incur any responsibility for any using it.
Check out our Red Team community Telegram channel
For the visual descriptions, open the diagram files using the diagrams.net tool.
The app consists of:
The DC Sonar Community provides functionality for analyzing AD domains for security risks related to accounts:
Register analyzing AD domain in the app
See the statuses of domain analyzing processes
Dump and brute NTLM hashes from set AD domains to list accounts with weak and vulnerable passwords
Analyze AD domain accounts to list ones with never expire passwords
Analyze AD domain accounts by their NTLM password hashes to determine accounts and domains where passwords repeat
In progress ...
It is assumed that you have a clean Ubuntu Server 22.04 and account with the username "user".
The app will install to /home/user/dc-sonar
.
The next releases maybe will have a more flexible installation.
Download dc_sonar_NNNN.N.NN-N_amd64.tar.gz from the last distributive to the server.
Create a folder for extracting files:
mkdir dc_sonar_NNNN.N.NN-N_amd64
Extract the downloaded archive:
tar -xvf dc_sonar_NNNN.N.NN-N_amd64.tar.gz -C dc_sonar_NNNN.N.NN-N_amd64
Go to the folder with the extracted files:
cd dc_sonar_NNNN.N.NN-N_amd64/
Install PostgreSQL:
sudo bash install_postgresql.sh
Install RabbitMQ:
sudo bash install_rabbitmq.sh
Install dependencies:
sudo bash install_dependencies.sh
It will ask for confirmation of adding the ppa:deadsnakes/ppa repository. Press Enter
.
Install dc-sonar itself:
sudo dpkg -i dc_sonar_NNNN.N.NN-N_amd64.deb
It will ask for information for creating a Django admin user. Provide username, mail and password.
It will ask for information for creating a self-signed SSL certificate twice. Provide required information.
Open: https://localhost
Enter Django admin user credentials set during the installation process before.
See the information in STYLE_GUIDE.md
In progress ...
In this case, we will set up the environment for editing code on the Windows host while running Python code on the Ubuntu guest.
Create a virtual machine with 2 CPU, 2048 MB RAM, 10GB SSD using Ubuntu Server 22.04 iso in VirtualBox.
If Ubuntu installer asks for updating ubuntu installer before VM's installation - agree.
Choose to install OpenSSH Server.
VirtualBox Port Forwarding Rules:
Name | Protocol | Host IP | Host Port | Guest IP | Guest Port |
---|---|---|---|---|---|
SSH | TCP | 127.0.0.1 | 2222 | 10.0.2.15 | 22 |
RabbitMQ management console | TCP | 127.0.0.1 | 15672 | 10.0.2.15 | 15672 |
Django Server | TCP | 127.0.0.1 | 8000 | 10.0.2.15 | 8000 |
NTLM Scrutinizer | TCP | 127.0.0.1 | 5000 | 10.0.2.15 | 5000 |
PostgreSQL | TCP | 127.0.0.1 | 25432 | 10.0.2.15 | 5432 |
Download and install Python 3.10.5.
Create a folder for the DC Sonar project.
Go to the project folder using Git for Windows:
cd '{PATH_TO_FOLDER}'
Make Windows installation steps for dc-sonar-user-layer.
Make Windows installation steps for dc-sonar-workers-layer.
Make Windows installation steps for ntlm-scrutinizer.
Make Windows installation steps for dc-sonar-frontend.
Make steps from "Open VirtualBox" to "Reboot VM", but add shared folders to VM VirtualBox with "Auto-mount", like in the picture below:
After reboot, run command:
sudo adduser $USER vboxsf
Perform logout and login for the using user account.
In /home/user
directory, you can use mounted folders:
ls -l
Output:
total 12
drwxrwx--- 1 root vboxsf 4096 Jul 19 13:53 dc-sonar-user-layer
drwxrwx--- 1 root vboxsf 4096 Jul 19 10:11 dc-sonar-workers-layer
drwxrwx--- 1 root vboxsf 4096 Jul 19 14:25 ntlm-scrutinizer
Install PostgreSQL on Ubuntu 20.04:
sudo apt update
sudo apt install postgresql postgresql-contrib
sudo systemctl start postgresql.service
Create the admin database account:
sudo -u postgres createuser --interactive
Output:
Enter name of role to add: admin
Shall the new role be a superuser? (y/n) y
Create the dc_sonar_workers_layer database account:
sudo -u postgres createuser --interactive
Output:
Enter name of role to add: dc_sonar_workers_layer
Shall the new role be a superuser? (y/n) n
Shall the new role be allowed to create databases? (y/n) n
Shall the new role be allowed to create more new roles? (y/n) n
Create the dc_sonar_user_layer database account:
sudo -u postgres createuser --interactive
Output:
Enter name of role to add: dc_sonar_user_layer
Shall the new role be a superuser? (y/n) n
Shall the new role be allowed to create databases? (y/n) n
Shall the new role be allowed to create more new roles? (y/n) n
Create the back_workers_db database:
sudo -u postgres createdb back_workers_db
Create the web_app_db database:
sudo -u postgres createdb web_app_db
Run the psql:
sudo -u postgres psql
Set a password for the admin account:
ALTER USER admin WITH PASSWORD '{YOUR_PASSWORD}';
Set a password for the dc_sonar_workers_layer account:
ALTER USER dc_sonar_workers_layer WITH PASSWORD '{YOUR_PASSWORD}';
Set a password for the dc_sonar_user_layer account:
ALTER USER dc_sonar_user_layer WITH PASSWORD '{YOUR_PASSWORD}';
Grant CRUD permissions for the dc_sonar_workers_layer account on the back_workers_db database:
\c back_workers_db
GRANT CONNECT ON DATABASE back_workers_db to dc_sonar_workers_layer;
GRANT USAGE ON SCHEMA public to dc_sonar_workers_layer;
GRANT ALL ON ALL TABLES IN SCHEMA public TO dc_sonar_workers_layer;
GRANT ALL ON ALL SEQUENCES IN SCHEMA public TO dc_sonar_workers_layer;
GRANT ALL ON ALL FUNCTIONS IN SCHEMA public TO dc_sonar_workers_layer;
Grant CRUD permissions for the dc_sonar_user_layer account on the web_app_db database:
\c web_app_db
GRANT CONNECT ON DATABASE web_app_db to dc_sonar_user_layer;
GRANT USAGE ON SCHEMA public to dc_sonar_user_layer;
GRANT ALL ON ALL TABLES IN SCHEMA public TO dc_sonar_user_layer;
GRANT ALL ON ALL SEQUENCES IN SCHEMA public TO dc_sonar_user_layer;
GRANT ALL ON ALL FUNCTIONS IN SCHEMA public TO dc_sonar_user_layer;
Exit of the psql:
\q
Open the pg_hba.conf file:
sudo nano /etc/postgresql/12/main/pg_hba.conf
Add the line for the connection to allow the connection from the host machine to PostgreSQL, save changes and close the file:
# IPv4 local connections:
host all all 127.0.0.1/32 md5
host all admin 0.0.0.0/0 md5
Open the postgresql.conf file:
sudo nano /etc/postgresql/12/main/postgresql.conf
Change specified below params, save changes and close the file:
listen_addresses = 'localhost,10.0.2.15'
shared_buffers = 512MB
work_mem = 5MB
maintenance_work_mem = 100MB
effective_cache_size = 1GB
Restart the PostgreSQL service:
sudo service postgresql restart
Check the PostgreSQL service status:
service postgresql status
Check the log file if it is needed:
tail -f /var/log/postgresql/postgresql-12-main.log
Now you can connect to created databases using admin account and client such as DBeaver from Windows.
Install RabbitMQ using the script.
Enable the management plugin:
sudo rabbitmq-plugins enable rabbitmq_management
Create the RabbitMQ admin account:
sudo rabbitmqctl add_user admin {YOUR_PASSWORD}
Tag the created user for full management UI and HTTP API access:
sudo rabbitmqctl set_user_tags admin administrator
Open management UI on http://localhost:15672/.
Ensure that your system is updated and the required packages installed:
sudo apt update && sudo apt upgrade -y
Install the required dependency for adding custom PPAs:
sudo apt install software-properties-common -y
Then proceed and add the deadsnakes PPA to the APT package manager sources list as below:
sudo add-apt-repository ppa:deadsnakes/ppa
Download Python 3.10:
sudo apt install python3.10=3.10.5-1+focal1
Install the dependencies:
sudo apt install python3.10-dev=3.10.5-1+focal1 libpq-dev=12.11-0ubuntu0.20.04.1 libsasl2-dev libldap2-dev libssl-dev
Install the venv module:
sudo apt-get install python3.10-venv
Check the version of installed python:
python3.10 --version
Output:
Python 3.10.5
Add IP addresses of Domain Controllers to /etc/hosts
sudo nano /etc/hosts
We have to create venv on a level above as VM VirtualBox doesn't allow us to make it in shared folders.
Go to the home directory where shared folders located:
cd /home/user
Make deploy steps for dc-sonar-user-layer on Ubuntu.
Make deploy steps for dc-sonar-workers-layer on Ubuntu.
Make deploy steps for ntlm-scrutinizer on Ubuntu.
Make config steps for dc-sonar-user-layer on Ubuntu.
Make config steps for dc-sonar-workers-layer on Ubuntu.
Make config steps for ntlm-scrutinizer on Ubuntu.
Make run steps for ntlm-scrutinizer on Ubuntu.
Make run steps for dc-sonar-user-layer on Ubuntu.
Make run steps for dc-sonar-workers-layer on Ubuntu.
Make run steps for dc-sonar-frontend on Windows.
Open https://localhost:8000/admin/ in a browser on the Windows host and agree with the self-signed certificate.
Open https://localhost:4200/ in the browser on the Windows host and login as created Django user.
Aura is a static analysis framework developed as a response to the ever-increasing threat of malicious packages and vulnerable code published on PyPI.
Project goals:
Feature list:
Didn't find what you are looking for? Aura's architecture is based on a robust plugin system, where you can customize almost anything, ranging from a set of data analyzers, transport protocols to custom out formats.
# Via pip:
pip install aura-security[full]
# or build from source/git
poetry install --no-dev -E full
Or just use a prebuild docker image sourcecodeai/aura:dev
docker run -ti --rm sourcecodeai/aura:dev scan pypi://requests -v
Aura uses a so-called URIs to identify the protocol and location to scan, if no protocol is used, the scan argument is treated as a path to the file or directory on a local system.
Diff packages:
docker run -ti --rm sourcecodeai/aura:dev diff pypi://requests pypi://requests2
Find most popular typosquatted packages (you need to call aura update
to download the dataset first):
aura find-typosquatting --max-distance 2 --limit 10
While there are other tools with functionality that overlaps with Aura such as Bandit, dlint, semgrep etc. the focus of these alternatives is different which impacts the functionality and how they are being used. These alternatives are mainly intended to be used in a similar way to linters, integrated into IDEs, frequently run during the development which makes it important to minimize false positives and reporting with clear actionable explanations in ideal cases.
Aura on the other hand reports on ** behavior of the code**, anomalies, and vulnerabilities with as much information as possible at the cost of false positive. There are a lot of things reported by aura that are not necessarily actionable by a user but they tell you a lot about the behavior of the code such as doing network communication, accessing sensitive files, or using mechanisms associated with obfuscation indicating a possible malicious code. By collecting this kind of data and aggregating it together, Aura can be compared in functionality to other security systems such as antivirus, IDS, or firewalls that are essentially doing the same analysis but on a different kind of data (network communication, running processes, etc).
Here is a quick overview of differences between Aura and other similar linters and SAST tools:
# nosec
that will suppress the alert at that positionAura framework is licensed under the GPL-3.0. Datasets produced from global scans using Aura are released under the CC BY-NC 4.0 license. Use the following citation when using Aura or data produced by Aura in research:
@misc{Carnogursky2019thesis,
AUTHOR = "CARNOGURSKY, Martin",
TITLE = "Attacks on package managers [online]",
YEAR = "2019 [cit. 2020-11-02]",
TYPE = "Bachelor Thesis",
SCHOOL = "Masaryk University, Faculty of Informatics, Brno",
SUPERVISOR = "Vit Bukac",
URL = "Available at WWW <https://is.muni.cz/th/y41ft/>",
}
Packj (pronounced package) is a command line (CLI) tool to vet open-source software packages for "risky" attributes that make them vulnerable to supply chain attacks. This is the tool behind our large-scale security analysis platform Packj.dev that continuously vets packages and provides free reports.
Packj accepts two input args:
Packj supports vetting of PyPI, NPM, and RubyGems packages. It performs static code analysis and checks for several metadata attributes such as release timestamps, author email, downloads, dependencies. Packages with expired email domains, large release time gap, sensitive APIs, etc. are flagged as risky for security reasons.
Packj also analyzes public repo code as well as metadata (e.g., stars, forks). By comparing the repo description and package title, you can be sure if the package indeed has been created from the repo to mitigate any starjacking
attacks.
The best way to use Packj is to run it inside Docker (or Podman) container. You can pull our latest image from DockerHub to get started.
docker pull ossillate/packj:latest
$ docker run --mount type=bind,source=/tmp,target=/tmp ossillate/packj:latest npm browserify
[+] Fetching 'browserify' from npm...OK [ver 17.0.0]
[+] Checking version...ALERT [598 days old]
[+] Checking release history...OK [484 version(s)]
[+] Checking release time gap...OK [68 days since last release]
[+] Checking author...OK [mail@substack.net]
[+] Checking email/domain validity...ALERT [expired author email domain]
[+] Checking readme...OK [26838 bytes]
[+] Checking homepage...OK [https://github.com/browserify/browserify#readme]
[+] Checking downloads...OK [2.2M weekly]
[+] Checking repo_url URL...OK [https://github.com/browserify/browserify]
[+] Checking repo data...OK [stars: 14077, forks: 1236]
[+] Checking repo activity...OK [commits: 2290, contributors: 207, tags: 413]
[+] Checking for CVEs...OK [none found]
[+] Checking dependencies...ALERT [48 found]
[+] Downloading package 'browserify' (ver 17. 0.0) from npm...OK [163.83 KB]
[+] Analyzing code...ALERT [needs 3 perms: process,file,codegen]
[+] Checking files/funcs...OK [429 files (383 .js), 744 funcs, LoC: 9.7K]
=============================================
[+] 5 risk(s) found, package is undesirable!
=> Complete report: /tmp/npm-browserify-17.0.0.json
{
"undesirable": [
"old package: 598 days old",
"invalid or no author email: expired author email domain",
"generates new code at runtime",
"reads files and dirs",
"forks or exits OS processes",
]
}
Specific package versions to be vetted could be specified using ==
. Please refer to the example below
$ docker run --mount type=bind,source=/tmp,target=/tmp ossillate/packj:latest pypi requests==2.18.4
[+] Fetching 'requests' from pypi...OK [ver 2.18.4]
[+] Checking version...ALERT [1750 days old]
[+] Checking release history...OK [142 version(s)]
[+] Checking release time gap...OK [14 days since last release]
[+] Checking author...OK [me@kennethreitz.org]
[+] Checking email/domain validity...OK [me@kennethreitz.org]
[+] Checking readme...OK [49006 bytes]
[+] Checking homepage...OK [http://python-requests.org]
[+] Checking downloads...OK [50M weekly]
[+] Checking repo_url URL...OK [https://github.com/psf/requests]
[+] Checking repo data...OK [stars: 47547, forks: 8758]
[+] Checking repo activity...OK [commits: 6112, contributors: 725, tags: 144]
[+] Checking for CVEs...ALERT [2 found]
[+] Checking dependencies...OK [9 direct]
[+] Downloading package 'requests' (ver 2.18.4) from pypi...OK [123.27 KB]
[+ ] Analyzing code...ALERT [needs 4 perms: codegen,process,file,network]
[+] Checking files/funcs...OK [47 files (33 .py), 578 funcs, LoC: 13.9K]
=============================================
[+] 6 risk(s) found, package is undesirable, vulnerable!
{
"undesirable": [
"old package: 1744 days old",
"invalid or no homepage: insecure webpage",
"generates new code at runtime",
"fetches data over the network",
"reads files and dirs",
],
"vulnerable": [
"contains CVE-2018-18074,CVE-2018-18074"
]
}
=> Complete report: /tmp/pypi-requests-2.18.4.json
=> View pre-vetted package report at https://packj.dev/package/PyPi/requests/2.18.4
Alternatively, you can install Python/Ruby dependencies locally and test it.
NOTE
pip install -r requirements.txt
gem install google-protobuf:3.21.2 rubocop:1.31.1
$ python3 main.py npm eslint
[+] Fetching 'eslint' from npm...OK [ver 8.16.0]
[+] Checking version...OK [10 days old]
[+] Checking release history...OK [305 version(s)]
[+] Checking release time gap...OK [15 days since last release]
[+] Checking author...OK [nicholas+npm@nczconsulting.com]
[+] Checking email/domain validity...OK [nicholas+npm@nczconsulting.com]
[+] Checking readme...OK [18234 bytes]
[+] Checking homepage...OK [https://eslint.org]
[+] Checking downloads...OK [23.8M weekly]
[+] Checking repo_url URL...OK [https://github.com/eslint/eslint]
[+] Checking repo data...OK [stars: 20669, forks: 3689]
[+] Checking repo activity...OK [commits: 8447, contributors: 1013, tags: 302]
[+] Checking for CVEs...OK [none found]
[+] Checking dependencies...ALERT [35 found]
[+] Downloading package 'eslint' (ver 8.16.0) from npm...OK [490.14 KB]
[+] Analyzing code...ALERT [needs 2 perms: codegen,file]
[+ ] Checking files/funcs...OK [395 files (390 .js), 1022 funcs, LoC: 76.3K]
=============================================
[+] 2 risk(s) found, package is undesirable!
{
"undesirable": [
"generates new code at runtime",
"reads files and dirs: ['package/lib/cli-engine/load-rules.js:37', 'package/lib/cli-engine/file-enumerator.js:142']"
]
}
=> Complete report: /tmp/npm-eslint-8.16.0.json
The design of Packj is guided by our study of 651 malware samples of documented open-source software supply chain attacks. Specifically, we have empirically identified a number of risky code and metadata attributes that make a package vulnerable to supply chain attacks.
For instance, we flag inactive or unmaintained packages that no longer receive security fixes. Inspired by Android app runtime permissions, Packj uses a permission-based security model to offer control and code transparency to developers. Packages that invoke sensitive operating system functionality such as file accesses and remote network communication are flagged as risky as this functionality could leak sensitive data.
Some of the attributes we vet for, include
Attribute | Type | Description | Reason |
---|---|---|---|
Release date | Metadata | Version release date to flag old or abandonded packages | Old or unmaintained packages do not receive security fixes |
OS or lang APIs | Code | Use of sensitive APIs, such as exec and eval
| Malware uses APIs from the operating system or language runtime to perform sensitive operations (e.g., read SSH keys) |
Contributors' email | Metadata | Email addresses of the contributors | Incorrect or invalid of email addresses suggest lack of 2FA |
Source repo | Metadata | Presence and validity of public source repo | Absence of a public repo means no easy way to audit or review the source code publicly |
Full list of the attributes we track can be viewed at threats.csv
These attributes have been identified as risky by several other researchers [1, 2, 3] as well.
Packj has been developed with a goal to assist developers in identifying and reviewing potential supply chain risks in packages.
However, since the degree of perceived security risk from an untrusted package depends on the specific security requirements, Packj can be customized according to your threat model. For instance, a package with no 2FA may be perceived to pose greater security risks to some developers, compared to others who may be more willing to use such packages for the functionality offered. Given the volatile nature of the problem, providing customized and granular risk measurement is one of our goals.
Packj can be customized to minimize noise and reduce alert fatigue by simply commenting out unwanted attributes in threats.csv
We found over 40 malicious packages on PyPI using this tool. A number of them been taken down. Refer to an example below:
$ python3 main.py pypi krisqian
[+] Fetching 'krisqian' from pypi...OK [ver 0.0.7]
[+] Checking version...OK [256 days old]
[+] Checking release history...OK [7 version(s)]
[+] Checking release time gap...OK [1 days since last release]
[+] Checking author...OK [KrisWuQian@baidu.com]
[+] Checking email/domain validity...OK [KrisWuQian@baidu.com]
[+] Checking readme...ALERT [no readme]
[+] Checking homepage...OK [https://www.bilibili.com/bangumi/media/md140632]
[+] Checking downloads...OK [13 weekly]
[+] Checking repo_url URL...OK [None]
[+] Checking for CVEs...OK [none found]
[+] Checking dependencies...OK [none found]
[+] Downloading package 'KrisQian' (ver 0.0.7) from pypi...OK [1.94 KB]
[+] Analyzing code...ALERT [needs 3 perms: process,network,file]
[+] Checking files/funcs...OK [9 files (2 .py), 6 funcs, LoC: 184]
=============================================
[+] 6 risk(s) found, package is undes irable!
{
"undesirable": [
"no readme",
"only 45 weekly downloads",
"no source repo found",
"generates new code at runtime",
"fetches data over the network: ['KrisQian-0.0.7/setup.py:40', 'KrisQian-0.0.7/setup.py:50']",
"reads files and dirs: ['KrisQian-0.0.7/setup.py:59', 'KrisQian-0.0.7/setup.py:70']"
]
}
=> Complete report: pypi-KrisQian-0.0.7.json
=> View pre-vetted package report at https://packj.dev/package/PyPi/KrisQian/0.0.7
Packj flagged KrisQian (v0.0.7) as suspicious due to absence of source repo and use of sensitive APIs (network, code generation) during package installation time (in setup.py). We decided to take a deeper look, and found the package malicious. Please find our detailed analysis at https://packj.dev/malware/krisqian.
More examples of malware we found are listed at https://packj.dev/malware Please reach out to us at oss@ossillate.com for full list.
To learn more about Packj tool or open-source software supply chain attacks, refer to our
Packj has been developed by Cybersecurity researchers at Ossillate Inc. and external collaborators to help developers mitigate risks of supply chain attacks when sourcing untrusted third-party open-source software dependencies. We thank our developers and collaborators.
We welcome code contributions. Join our discord community for discussion and feature requests.
Packj can currently vet NPM, PyPI, and RubyGems packages for "risky" attributes. We are adding support for Rust.
This is a very common malicious behavior. Packj detects code obfuscation as well as spawning of shell commands (exec system call). For example, Packj can flag use of getattr()
and eval()
API as they indicate "runtime code generation"; a developer can go and take a deeper look then. See main.py for details.
Packj currently uses static code analysis to derive permissions (e.g., file/network accesses). Therefore, it can detect open() calls if used by the malware directly (e.g., not obfuscated in a base64 encoded string). But, Packj can also point out such base64 decode calls. Fortunately, malware has to use these APIs (read, open, decode, eval, etc.) for their functionality -- there's no getting around. Having said that, a sophisticated malware can hide itself better, so dynamic analysis must be performed for completeness. We are incorporating strace-based dynamic analysis (containerized) to collect system calls. See roadmap for details.