Automatically detect obfuscated code and other state machines

Overview

Obfuscation Detection

Authored by: Tim Blazytko

Adapted by: mcdulltii

Automatically detect obfuscated code and other state machines

Description:

Scripts to automatically detect obfuscated code and state machines in binaries.

Implementation is based on IDA 7.4+ (Python3). Check out the following blog posts for more information on the Binary Ninja implementation:

Note:

Due to the recursive nature of plotting a dominator tree of every found function within the binary, the implementation and runtime overhead is expensive, though threading has been implemented.

MAX_FUNCTIONS = 50
MAX_NODES = 50
# --- snipped ---
if sum([1 for _ in idautils.Functions()]) > MAX_FUNCTIONS:
    detect.partial_heur()
else:
    detect.all_heur()
# --- snipped ---
if sum([1 for _ in FlowChart(get_func(ea))]) > MAX_NODES:
    pass

For more details on partial_heur() and all_heur():

all_heur() calls all heuristic functions on the binary, then prints an output of the heuristics of all functions within the binary.

partial_heur() calls all heuristic functions on the binary, then prints an output of the heuristics of the top 10% (or bounded by MAX_FUNCTIONS) functions within the binary.

Instruction overlapping heuristic algorithm makes use of mcsema disassembly code to follow jmp and call instructions for better coverage.

Since the script uses the IDA API, any functions that are missed by IDA will likely not be detected.

Usage

Copy the obfDetect directory and obfDetect.py into the IDA Plugins directory.

When IDA has successfully finished loading a binary, the script will print out its banner into the IDC/Python console. If not, the script can be re-loaded using alt-E and selecting it within the plugin dropdown.

The script can be run via the File toolbar as shown below. Alternatively, Ctrl-Shift-H.

Toolbar

Examples

  • A small binary with 2 scanned functions

all_heur

  • Resilience test using a large binary obfuscated using O-LLVM

partial_heur

  • Instruction overlapping heuristic detection

instruction overlap

Todo

You might also like...
A way to integrate Latex, VSCode, and Inkscape in macOS. Adopted the whole workflow from Gilles Castel.
A way to integrate Latex, VSCode, and Inkscape in macOS. Adopted the whole workflow from Gilles Castel.

VSCode-LaTeX-Inkscape A way to integrate LaTeX, VSCode, and Inkscape in macOS Abstract I use LaTeX heavily in past two years for both academic work an

A tool used to obfuscate python scripts, bind obfuscated scripts to fixed machine or expire obfuscated scripts.

PyArmor Homepage (中文版网站) Documentation(中文版) PyArmor is a command line tool used to obfuscate python scripts, bind obfuscated scripts to fixed machine

A tool used to obfuscate python scripts, bind obfuscated scripts to fixed machine or expire obfuscated scripts.

PyArmor Homepage (中文版网站) Documentation(中文版) PyArmor is a command line tool used to obfuscate python scripts, bind obfuscated scripts to fixed machine

High performance, easy-to-use, and scalable machine learning (ML) package, including linear model (LR), factorization machines (FM), and field-aware factorization machines (FFM) for Python and CLI interface.
High performance, easy-to-use, and scalable machine learning (ML) package, including linear model (LR), factorization machines (FM), and field-aware factorization machines (FFM) for Python and CLI interface.

What is xLearn? xLearn is a high performance, easy-to-use, and scalable machine learning package that contains linear model (LR), factorization machin

High performance, easy-to-use, and scalable machine learning (ML) package, including linear model (LR), factorization machines (FM), and field-aware factorization machines (FFM) for Python and CLI interface.
High performance, easy-to-use, and scalable machine learning (ML) package, including linear model (LR), factorization machines (FM), and field-aware factorization machines (FFM) for Python and CLI interface.

What is xLearn? xLearn is a high performance, easy-to-use, and scalable machine learning package that contains linear model (LR), factorization machin

High performance, easy-to-use, and scalable machine learning (ML) package, including linear model (LR), factorization machines (FM), and field-aware factorization machines (FFM) for Python and CLI interface.
High performance, easy-to-use, and scalable machine learning (ML) package, including linear model (LR), factorization machines (FM), and field-aware factorization machines (FFM) for Python and CLI interface.

What is xLearn? xLearn is a high performance, easy-to-use, and scalable machine learning package that contains linear model (LR), factorization machin

Collection of scripts to pinpoint obfuscated code

Obfuscation Detection (v1.0) Author: Tim Blazytko Automatically detect control-flow flattening and other state machines Description: Scripts and binar

Galvanalyser is a system for automatically storing data generated by battery cycling machines in a database
Galvanalyser is a system for automatically storing data generated by battery cycling machines in a database

Galvanalyser is a system for automatically storing data generated by battery cycling machines in a database, using a set of "harvesters", whose job it

Generate obfuscated meterpreter shells

Generator Evade AV with obfuscated payloads Installation must install dotnet prior to running the script with net45 Running ./generator.py -ip Your-I

MODeflattener deobfuscates control flow flattened functions obfuscated by OLLVM using Miasm.
MODeflattener deobfuscates control flow flattened functions obfuscated by OLLVM using Miasm.

MODeflattener deobfuscates control flow flattened functions obfuscated by OLLVM using Miasm.

OLOP: One-Line & Obfuscated Python

OLOP: One-Line & Obfuscated Python This repository contains useful python modules for one-line and obfuscated python. pip install olop-ShadowLugia650

We evaluate our method on different datasets (including ShapeNet, CUB-200-2011, and Pascal3D+) and achieve state-of-the-art results, outperforming all the other supervised and unsupervised methods and 3D representations, all in terms of performance, accuracy, and training time. A discord bot that can detect Nitro Scam Links and delete them to protect other users
A discord bot that can detect Nitro Scam Links and delete them to protect other users

A discord bot that can detect Nitro Scam Links and delete them to protect other users. Add it to your server from here.

A tool combining EasyOCR and LaMa to automatically detect text and replace it with an inpainted background.
A tool combining EasyOCR and LaMa to automatically detect text and replace it with an inpainted background.

EasyLaMa (WIP) This is a tool combining EasyOCR and LaMa to automatically detect text and replace it with an inpainted background. Installation For GP

Periodically check the manuscript state in the scholar one system and send email when finding a new state.

ScholarOne-manuscript-checker Periodically check the manuscript state in the scholar one system and send email when finding a new state. Parameters ne

A simple voice detection system which can be applied practically for designing a device with capability to detect a baby’s cry and automatically turning on music

Auto-Baby-Cry-Detection-with-Music-Player A simple voice detection system which can be applied practically for designing a device with capability to d

Automatically detect changes made to the official Telegram sites.
Automatically detect changes made to the official Telegram sites.

🕷 Telegram Web Crawler This project is developed to automatically detect changes made to the official Telegram sites. This is necessary for anticipat

Customised to detect objects automatically by a given model file(onnx)
Customised to detect objects automatically by a given model file(onnx)

LabelImg LabelImg is a graphical image annotation tool. It is written in Python and uses Qt for its graphical interface. Annotations are saved as XML

TensorFlowTTS: Real-Time State-of-the-art Speech Synthesis for Tensorflow 2 (supported including English, Korean, Chinese, German and Easy to adapt for other languages)

🤪 TensorFlowTTS provides real-time state-of-the-art speech synthesis architectures such as Tacotron-2, Melgan, Multiband-Melgan, FastSpeech, FastSpeech2 based-on TensorFlow 2. With Tensorflow 2, we can speed-up training/inference progress, optimizer further by using fake-quantize aware and pruning, make TTS models can be run faster than real-time and be able to deploy on mobile devices or embedded systems.

Comments
  • dict_keys error.

    dict_keys error.

    while using it against themida hanhelds , i got this :

    func_list = list(reversed(sorted_functions.keys()))[:bound] if partial else list(reversed(sorted_functions.keys()))
    TypeError: 'dict_keys' object is not reversible
    
    bug 
    opened by ghost 2
Releases(v1.7)
  • v1.7(Mar 20, 2022)

  • v1.6(Feb 19, 2022)

    What's Changed

    • Refactor plugin handler
      • Removed duplicate banner print
      • Changed PLUGIN_FIX to PLUGIN_HIDE, user can just use Ctrl-Shift-H
    • Code cleanup in https://github.com/mcdulltii/obfDetect/pull/5

    Full Changelog: https://github.com/mcdulltii/obfDetect/compare/v1.5...v1.6

    Source code(tar.gz)
    Source code(zip)
  • v1.5(Sep 6, 2021)

    GUI Implementation

    GUI Features:

    • QTable Heuristic result view
    • Node limiting
    • Single/All function heuristic search
    • Heuristic result export

    Heuristic Features:

    • Control-Flow Flattening
    • Cyclomatic Complexity
    • Basic Block Size
    • Instruction Overlapping
    Source code(tar.gz)
    Source code(zip)
    obfDetect.zip(81.64 KB)
  • v1.4(Aug 29, 2021)

Owner
Aaron
A programming enthusiast that does image synthesis on the side.
Aaron
VSCode Development Container Template

VSCode Development Container Template This template enables you to use a full-fledged containerized development environment for your machine learning

Paige Bailey 10 Oct 10, 2022
Run context-aware commands from your source code comments

Run context-aware commands from your source code comments. Codeline allows you to run custom commands directly from source-code comments, combining th

Rory Byrne 32 Nov 09, 2021
Integrate clang-format with Sublime Text

Sublime Text Clang Format Plugin This is a minimal plugin integrating clang-format with Sublime Text, with emphasis on the word minimal. It is not rea

Jon Palmisciano 1 Dec 17, 2021
A GitHub Action hosted Python IDE!

What is this ? This is an IDE running on GitHub Actions which can help in..... Running small snippets. Running codes whenever PC is not available and

Jainam Oswal 21 Nov 09, 2022
Multi-user server for Jupyter notebooks

Technical Overview | Installation | Configuration | Docker | Contributing | License | Help and Resources Please note that this repository is participa

JupyterHub 7k Jan 02, 2023
notebookJS: seamless JavaScript integration in Python Notebooks

notebookJS enables the execution of custom JavaScript code in Python Notebooks (Jupyter Notebook and Google Colab). This Python library can be useful for implementing and reusing interactive Data Vis

jorgehpo 146 Dec 07, 2022
CTO (Call Tree Overviewer) is an IDA plugin for creating a simple and efficiant function call tree graph

CTO (Call Tree Overviewer) CTO (Call Tree Overviewer) is an IDA plugin for creating a simple and efficiant function call tree graph. It can also summa

Hiroshi Suzuki 257 Dec 24, 2022
Spyder - The Scientific Python Development Environment

Spyder is a powerful scientific environment written in Python, for Python, and designed by and for scientists, engineers and data analysts. It offers a unique combination of the advanced editing, ana

Spyder IDE 7.3k Jan 08, 2023
Gaphor is a UML and SysML modeling application written in Python.

Gaphor is a UML and SysML modeling application written in Python. It is designed to be easy to use, while still being powerful. Gaphor implements a fully-compliant UML 2 data model, so it is much mor

Gaphor 1.3k Jan 07, 2023
Kite IntelliJ plugin

Handbook Supported platforms The Kite plugin supports the following environments: PyCharm Community PyCharm Professional IntelliJ Community with the P

Kite 57 Dec 23, 2022
Joy is a tiny creative coding library in Python.

Joy Joy is a tiny creative coding library in Python. Installation The easiest way to install it is download joy.py and place it in your directory. The

FOSS United Foundation 181 Dec 04, 2022
Clarity mode is a single-notebook interface built with existing JupyterLab components.

JupyterLab Clarity Mode Clarity mode is a single-notebook interface built with existing JupyterLab components. To install: Clone this repository Ensur

10 Jul 20, 2022
cottonformation is a Python tool providing best development experience and highest productivity

Welcome to cottonformation Documentation Full Documentatioin Here cottonformation is a Python tool providing best development experience and highest p

Sanhe 6 Jul 08, 2022
A Python code editor that looks like GNU Emacs.

🚧 WARNING 🚧 : Under development... Testing is not recommended! Welcome to Snake Editor! Hi! This is our repository, we are here to present our new p

Marcio Dantas 5 May 20, 2022
Blender add-on for baking your scene to textures

Bake Scene This add-on bakes your scene to textures. This is useful in many situations: Creating trim sheets Creating decals Creating hair cards Creat

5 Sep 20, 2022
This is code for IDLE python/ Magic8Ball Code

Magic8Ball this is code for IDLE python/ Magic8Ball Code this code is for beginers i hope you can learn code form this don't ever be a script kiddie a

1 Nov 05, 2021
💻 Open recent VS Code folders and files using Ulauncher

ulauncher-vscode-recent 💻 Open recent VS Code folders and files using Ulauncher. Quickly open recently-opened VS Code project directories and files.

Mihir Chaturvedi 14 Nov 24, 2022
pyiron - an integrated development environment (IDE) for computational materials science.

pyiron pyiron - an integrated development environment (IDE) for computational materials science. It combines several tools in a common platform: Atomi

pyiron 20 Dec 22, 2022
VSCode extension to sort and refactor python imports using reorder-python-imports.

reorder-python-imports VSCode extension to sort and refactor python imports using reorder-python-imports. Unlike other import organizers, reorder-pyth

Ryan Butler 3 Aug 26, 2022
ROS2 Docker tutorial with VSCode

ROS2-Docker-tutorial I made this repository using athackst/vscode_ros2_workspace templete with foxy-nvidia branch. You could see more information abov

Tae Young Kim 4 Nov 03, 2022