Helping Analysts Automate Reverse Engineering
Increasingly, malware is object oriented and written in C++. Object-oriented malware presents considerable challenges to engineers because it rarely has source code available and must be reverse engineered.
Reverse engineering is challenging and time consuming, and traditionally requires skilled and experienced analysts. C++ data structures are especially difficult to reverse engineer because they maintain state across multiple functions, they include sophisticated mechanics, and they can be arranged in arbitrarily complex relationships.
The SEI’s Pharos Binary Static Analysis Framework, built on the Rose compiler infrastructure developed by Lawrence Livermore National Laboratory, includes tools that automate common reverse engineering tasks.
In 2017, the SEI released OOAnalyzer as part of the Pharos suite. OOAnalyzer automatically recognizes common patterns that indicate C++-style objects in assembly code. It exports these patterns as JSON, which, in turn, is read by into IDA Pro by the OOAnalyzer.py plugin (part of the Pharos tool suite). The plugin helps malware analysts understand the program’s design and functionality.
CallAnalyzer, another tool in the Pharos suite, statically reasons about the contents of memory at each function call. This reasoning provides reverse engineers with concrete information that identifies the program state and the values passed to each function.
ApiAnalyzer, a pattern-matching tool in the suite, allows analysts to find program behaviors based on program API usage. It enables reverse engineers and malware analysts to specify and then search for many potentially malicious API function call patterns.
To help malware analysts perform quick surface analyses, Fn2Hash and Fn2Yara generate function hashes and YARA signatures for each function in a binary.
The SEI continually updates the Pharos framework, adding new tools to the suite. These tools, combined in the Pharos Binary Static Analysis Framework, assist reverse engineers and malware analysts in gaining insight into software binaries and help them combat the intrusion of object-oriented malware. To learn more about this work, visit the Pharos page in the SEI’s digital library.