Re: ABfrag - *yawn*

[silvio () big net au]

BUT.. OTOH.

i've had fun graphing it so far with my bin analysis code.  work in progress,
and wasn't really meant to be used on real life binaries at this point, but the
graphs look pretty neat anyway.

i did have to add a reasonable amount of new features in the past couple days
to get some decentish graphs, and it only graphs the plaintext code in the
binary.  though the version i've been graphing has a vx attached, and isnt
actually a functional executable, presumably due to corruption on
infection *shrug*.

the graphs show the vx nicely though.. you can see 2 distinct objects within
the binary (i have the main callgraph seperated into disjoint graphs to
indicate different "sections").  these are presumably the vx, and the
burneye decryptor stubs.

i have not tried at this point to go further into the burneye encryption,
since it means i have to probably add BE specific code - something i'd like to
hold off for a short time.  its not automatic at this point to say
that which parts that were not analysed, but should have been - thus
indicating our ciphertext (or data etc) - so this is obviously bad for
people not looking at the binary manually in conjunction.

the graphs are at www.securityhacker.org which is a temp domain setup by some
nice folks so i can display some content without the www.big.net.au quota
restrictions (the data generated is about 15M).  its all auto generated to
html hyperlinked content with .gif's .html and .txt etc.  you can click
on nodes, link to callgraphs etc.

the entire content is created completely automatically.  no post editing
was done or hand linking the html or .txt etc.  the code to generate the last
set of graphs (TAKE3) is present on my www.big.net.au/~silvio site.

OFCOURSE.. alot is to come in the graphing and bin analysis, and this ABFrag
business pre-empted actual live testing of my code by a signficant
time frame - but the analsysi  appears to work reasonably well anyway from
its current implementation and missing alot of things (there is not
really any dataflow analysis at this point, and many things can be done with
the controflow analysis that i havent yet implemented etc).

i added a small thing not 15 minutes ago to allow importing custom symbol
tables as ascii.  this helps when you do manaual analysis also, and want
to use symbolic names instead of addresses etc in the callgraph (since this
binary did not have any symbolic information immediately present in .symtab
or .dynsym if it was dynamically linked etc).

--
Silvio
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html