PyREBox Overview

The developers presented the project PyREBox, within which an environment for reverse engineering and monitoring the behavior of malicious software was prepared. PyREBox is an add-on above QEMU, equipped with additional tools for inspecting the contents of memory, debugging and dynamic analysis of the system and applications.


PyREBox creates an emulated environment for the entire system, offering a simple interface for monitoring this environment without requiring the installation of specific drivers or agents, but working directly at the emulator level and the provided VMI (Virtual Machine Introspection) API. At present it is possible to create i386 and x86_64 environments, but ARM, MIPS, PowerPC and other architectures are planned in the plans.

You can learn how Sandbox is used to analyze scripts written in Python in this article. This program is provided “AS IS”, and no support is guaranteed. PyREBox is inspired by several academic projects, such as DECAF, or PANDA. In fact, many of the callbacks supported by PyREBox are equivalent to those found in DECAF, and the concepts behind the instrumentation are based on these works.

PyREBox benefits from third-party code, which can be found under the directory pyrebox/third_party. For each third-party project, we include an indication of its original license, the original source code files taken from the project, as well as the modified versions of the source code files (if applicable), used by PyREBox.

If you think you’ve found a bug, you may report it here.