Binary and Malware Analysis

Table of Contents

Dynamic data excavation
- BinArmor

In GUI browsers, I have this page themed dynamically, so when it's dark outside, you'll get a dark theme. You need JS enabled if you want the dynamic theme; I don't run any JS-based analytics or tracking.

Dynamic data excavation

Data is apparently unstructured, but usage isn’t.

Track pointers – root pointers, track how pointers derive from each other.

For arrays, look for loop accessing.

Type resolution points:

system calls: type parameter passing registers (ebx, ecx, edx, esi, edi, ebp), type return value in eax
standard library call: type corresponding argument and return value

Data-flow tracking

use shadow memory to keep variable attributes and track propagation

BinArmor

find arrays in binary programs
find accesses to arrays
rewrite binary:
- assign color to each array
- check colors on every array access
if pointer that first pointed into an array later accesses an area outside the array, crash

Can protect legacy binaries.