By: Marion Marschalek

Scheduled on: June 17 at 13:00

Most malware sandboxes get hickups as soon as you feed them DLLs. Or GUI applications. Or, anything that won’t show all its features on plain execution. This, while they look quite fancy though, don’t they? Thats when I thought I want something fancy-looking too, that doesn’t rely on a hooking engine. This talk will present a way, how to statically visualize a binary’s callgraph along with API calls, strings and other supportive information, with the help of radare2. Dubbed r2graphity, it generates a data structure which can be brought to life with Gephi or Javascript, allowing lazy browsing through a piece of malware. Makes analyzing stuff like watching a movie, really.

It will, literally, be shown, how different visualization algorithms can highlight specific aspects of interest. This could be for example well connected graphs, disconnected graphs, subgraphs with high density; a high API call density, the lack of any API calls, possibly paired with lots of calls to global variables, or specific groups of API calls like e.g. lots of memory allocations, or even defined patterns of APIs that indicate certain “behavior”. This helps in quickly spotting overall structures, core functionality, one can identify copy/paste code, algorithms, and potentially also the lack of structure, API calls or readable strings.

That said, if you want or not, you’ll also find similarities between graphs and certain coding habits of the respective malware author.