lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20021019040204.A2515@hamsec>
From: silvio at big.net.au (silvio@....net.au)
Subject: ABfrag - *yawn*

BUT.. OTOH.

i've had fun graphing it so far with my bin analysis code.  work in progress,
and wasn't really meant to be used on real life binaries at this point, but the
graphs look pretty neat anyway.

i did have to add a reasonable amount of new features in the past couple days
to get some decentish graphs, and it only graphs the plaintext code in the
binary.  though the version i've been graphing has a vx attached, and isnt
actually a functional executable, presumably due to corruption on
infection *shrug*.

the graphs show the vx nicely though.. you can see 2 distinct objects within
the binary (i have the main callgraph seperated into disjoint graphs to
indicate different "sections").  these are presumably the vx, and the
burneye decryptor stubs.

i have not tried at this point to go further into the burneye encryption,
since it means i have to probably add BE specific code - something i'd like to
hold off for a short time.  its not automatic at this point to say
that which parts that were not analysed, but should have been - thus
indicating our ciphertext (or data etc) - so this is obviously bad for
people not looking at the binary manually in conjunction.

the graphs are at www.securityhacker.org which is a temp domain setup by some
nice folks so i can display some content without the www.big.net.au quota
restrictions (the data generated is about 15M).  its all auto generated to
html hyperlinked content with .gif's .html and .txt etc.  you can click
on nodes, link to callgraphs etc.

the entire content is created completely automatically.  no post editing
was done or hand linking the html or .txt etc.  the code to generate the last
set of graphs (TAKE3) is present on my www.big.net.au/~silvio site.

OFCOURSE.. alot is to come in the graphing and bin analysis, and this ABFrag
business pre-empted actual live testing of my code by a signficant
time frame - but the analsysi  appears to work reasonably well anyway from
its current implementation and missing alot of things (there is not
really any dataflow analysis at this point, and many things can be done with
the controflow analysis that i havent yet implemented etc).

i added a small thing not 15 minutes ago to allow importing custom symbol
tables as ascii.  this helps when you do manaual analysis also, and want
to use symbolic names instead of addresses etc in the callgraph (since this
binary did not have any symbolic information immediately present in .symtab
or .dynsym if it was dynamically linked etc).

--
Silvio

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ