"Jak Ryszard Siwiec, płonę byś myślał."

Some graphs

While playing with MmmBop sometimes i was recording the transfers between basic blocks. I tried to produce some graphs from it to make a nice visualization, however it appears in a various cases ie. tElock, PESpin i have recorded so many egdes that GraphViz was unable to produce a correct graph. Tried few other things like Tulip, but it haven't really worked either. One thing that actually worked was Walrus3D but the graphs are not really a good visualization for this example - IMHO. Anyway may be you will like following ones:


MmmBop tracing the unpacking process of UPX packed binary:


MmmBop vs UPX



MmmBop tracing the unpacking process of tElock packed binary (Walrus as renderer here):


MmmBop vs tElock - RENDER1
MmmBop vs tElock - RENDER2

Wednesday, May 27, 2009 | Etykiety: , , | 0 Comments  

PAPER: Generic Unpacking of Self-modifying, Aggressive, Packed Binary Programs

ABSTRACT

Nowadays most of the malware applications are either packed or protected. This techniques are applied especially to evade signature based detectors and also to complicate the job of reverse engineers or security analysts. The time one must spend on unpacking or decrypting malware layers is often very long and in fact remains the most complicated task in the overall process of malware analysis. In this report author proposes MmmBop as a relatively new concept of using dynamic binary instrumentation techniques for unpacking and bypassing detection by self-modifying and highly aggressive packed binary code. MmmBop is able to deal with most of the known and unknown packing algorithms and it is also suitable to successfully bypass most of currently used anti-reversing tricks. [...]


Paper can be found at:
http://piotrbania.com/all/articles/pbania-dbi-unpacking2009.pdf

Monday, May 25, 2009 | Etykiety: , | 4 Comments  

Dynamic Data Flow Analysis via Virtual Code Integration (aka The SpiderPig case)

SpiderPig is a project created for performing and visualizing data flow analysis of a selected binary program. SpiderPig was created in the purpose of providing a tool which would be able to help vulnerability and security researchers with tracing and analyzing any necessary data and it's further propagation. Such tasks are very often crucial in the vulnerability discovering/identifying process and typically require a lot of time consuming manual work. Following paper discusses methods and techniques implemented in SpiderPig in order to perform semi-automatic data flow analysis.

Paper is available here:
http://piotrbania.com/all/spiderpig/pbania-spiderpig2008.pdf

Simple video demo and some other things available on project website:
http://piotrbania.com/all/spiderpig/

Big thanks to Matt "skape" Miller and Julien Vanegue!

Monday, May 18, 2009 | Etykiety: , , | 1 Comments  

Subscribe to: Posts (Atom)