Bubble Struggle - Call Graph Visualization with Radare2
By: Marion Marschalek
Scheduled on: June 17 at 13:00
It will, literally, be shown, how different visualization algorithms can highlight specific aspects of interest. This could be for example well connected graphs, disconnected graphs, subgraphs with high density; a high API call density, the lack of any API calls, possibly paired with lots of calls to global variables, or specific groups of API calls like e.g. lots of memory allocations, or even defined patterns of APIs that indicate certain “behavior”. This helps in quickly spotting overall structures, core functionality, one can identify copy/paste code, algorithms, and potentially also the lack of structure, API calls or readable strings.
That said, if you want or not, you’ll also find similarities between graphs and certain coding habits of the respective malware author.