Recognition of binary patterns by Morphological analysis

Morphological analysis is a method that we developed in order to recognize parts of binary programs.

Our method consists in the following steps: (1) we build an abstract representation from a binary code, which is a graph structure obtained by combining static and dynamic analysis, (2) we recognize similar codes with a fast comparison algorithm, and (3) we import precise results into IDA in order to realign codes.

Moreover, our code representation offers a remarkable resistance against classic obfuscation techniques, like junk-code insertion, code realignment.

We plan to make a demonstration of our tool with its interface to IDA. In particular, we will show during this talk how we were able to determine in a few milliseconds what exact parts of Duqu code are shared with Stuxnet. Second, we will show how we were able to automatically detect what libraries are used in Duqu.