Full Disclosure mailing list archives
Re: ABfrag - *yawn*
From: silvio () big net au
Date: Sat, 19 Oct 2002 04:02:04 -0700
BUT.. OTOH. i've had fun graphing it so far with my bin analysis code. work in progress, and wasn't really meant to be used on real life binaries at this point, but the graphs look pretty neat anyway. i did have to add a reasonable amount of new features in the past couple days to get some decentish graphs, and it only graphs the plaintext code in the binary. though the version i've been graphing has a vx attached, and isnt actually a functional executable, presumably due to corruption on infection *shrug*. the graphs show the vx nicely though.. you can see 2 distinct objects within the binary (i have the main callgraph seperated into disjoint graphs to indicate different "sections"). these are presumably the vx, and the burneye decryptor stubs. i have not tried at this point to go further into the burneye encryption, since it means i have to probably add BE specific code - something i'd like to hold off for a short time. its not automatic at this point to say that which parts that were not analysed, but should have been - thus indicating our ciphertext (or data etc) - so this is obviously bad for people not looking at the binary manually in conjunction. the graphs are at www.securityhacker.org which is a temp domain setup by some nice folks so i can display some content without the www.big.net.au quota restrictions (the data generated is about 15M). its all auto generated to html hyperlinked content with .gif's .html and .txt etc. you can click on nodes, link to callgraphs etc. the entire content is created completely automatically. no post editing was done or hand linking the html or .txt etc. the code to generate the last set of graphs (TAKE3) is present on my www.big.net.au/~silvio site. OFCOURSE.. alot is to come in the graphing and bin analysis, and this ABFrag business pre-empted actual live testing of my code by a signficant time frame - but the analsysi appears to work reasonably well anyway from its current implementation and missing alot of things (there is not really any dataflow analysis at this point, and many things can be done with the controflow analysis that i havent yet implemented etc). i added a small thing not 15 minutes ago to allow importing custom symbol tables as ascii. this helps when you do manaual analysis also, and want to use symbolic names instead of addresses etc in the callgraph (since this binary did not have any symbolic information immediately present in .symtab or .dynsym if it was dynamically linked etc). -- Silvio _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- ABfrag - *yawn* sockz loves you (Oct 19)
- Re: ABfrag - *yawn* silvio (Oct 19)
- Re: ABfrag - *yawn* silvio (Oct 19)