Automatically detect obfuscated code and other state machines

Related tags

IDEidaida-proida-pluginidapythonidapython-pluginobfuscation-detection
Overview

Obfuscation Detection

Authored by: Tim Blazytko

Adapted by: mcdulltii

Automatically detect obfuscated code and other state machines

Description:

Scripts to automatically detect obfuscated code and state machines in binaries.

Implementation is based on IDA 7.4+ (Python3). Check out the following blog posts for more information on the Binary Ninja implementation:

Note:

Due to the recursive nature of plotting a dominator tree of every found function within the binary, the implementation and runtime overhead is expensive, though threading has been implemented.

MAX_FUNCTIONS = 50
MAX_NODES = 50
# --- snipped ---
if sum([1 for _ in idautils.Functions()]) > MAX_FUNCTIONS:
    detect.partial_heur()
else:
    detect.all_heur()
# --- snipped ---
if sum([1 for _ in FlowChart(get_func(ea))]) > MAX_NODES:
    pass

For more details on partial_heur() and all_heur():

all_heur() calls all heuristic functions on the binary, then prints an output of the heuristics of all functions within the binary.

partial_heur() calls all heuristic functions on the binary, then prints an output of the heuristics of the top 10% (or bounded by MAX_FUNCTIONS) functions within the binary.

Instruction overlapping heuristic algorithm makes use of mcsema disassembly code to follow jmp and call instructions for better coverage.

Since the script uses the IDA API, any functions that are missed by IDA will likely not be detected.

Usage

Copy the obfDetect directory and obfDetect.py into the IDA Plugins directory.

When IDA has successfully finished loading a binary, the script will print out its banner into the IDC/Python console. If not, the script can be re-loaded using alt-E and selecting it within the plugin dropdown.

The script can be run via the File toolbar as shown below. Alternatively, Ctrl-Shift-H.

Toolbar

Examples

  • A small binary with 2 scanned functions

all_heur

  • Resilience test using a large binary obfuscated using O-LLVM

partial_heur

  • Instruction overlapping heuristic detection

instruction overlap

Todo

You might also like...
A way to integrate Latex, VSCode, and Inkscape in macOS. Adopted the whole workflow from Gilles Castel.
A way to integrate Latex, VSCode, and Inkscape in macOS. Adopted the whole workflow from Gilles Castel.

VSCode-LaTeX-Inkscape A way to integrate LaTeX, VSCode, and Inkscape in macOS Abstract I use LaTeX heavily in past two years for both academic work an

Pingbang Hu 62 Dec 14, 2022
A tool used to obfuscate python scripts, bind obfuscated scripts to fixed machine or expire obfuscated scripts.

PyArmor Homepage (中文版网站) Documentation(中文版) PyArmor is a command line tool used to obfuscate python scripts, bind obfuscated scripts to fixed machine

Dashingsoft 1.9k Jan 1, 2023
A tool used to obfuscate python scripts, bind obfuscated scripts to fixed machine or expire obfuscated scripts.

PyArmor Homepage (中文版网站) Documentation(中文版) PyArmor is a command line tool used to obfuscate python scripts, bind obfuscated scripts to fixed machine

Dashingsoft 1.9k Dec 30, 2022
High performance, easy-to-use, and scalable machine learning (ML) package, including linear model (LR), factorization machines (FM), and field-aware factorization machines (FFM) for Python and CLI interface.
High performance, easy-to-use, and scalable machine learning (ML) package, including linear model (LR), factorization machines (FM), and field-aware factorization machines (FFM) for Python and CLI interface.

What is xLearn? xLearn is a high performance, easy-to-use, and scalable machine learning package that contains linear model (LR), factorization machin

Chao Ma 3k Jan 3, 2023
High performance, easy-to-use, and scalable machine learning (ML) package, including linear model (LR), factorization machines (FM), and field-aware factorization machines (FFM) for Python and CLI interface.
High performance, easy-to-use, and scalable machine learning (ML) package, including linear model (LR), factorization machines (FM), and field-aware factorization machines (FFM) for Python and CLI interface.

What is xLearn? xLearn is a high performance, easy-to-use, and scalable machine learning package that contains linear model (LR), factorization machin

Chao Ma 2.8k Feb 12, 2021
High performance, easy-to-use, and scalable machine learning (ML) package, including linear model (LR), factorization machines (FM), and field-aware factorization machines (FFM) for Python and CLI interface.
High performance, easy-to-use, and scalable machine learning (ML) package, including linear model (LR), factorization machines (FM), and field-aware factorization machines (FFM) for Python and CLI interface.

What is xLearn? xLearn is a high performance, easy-to-use, and scalable machine learning package that contains linear model (LR), factorization machin

Chao Ma 3k Jan 8, 2023
Collection of scripts to pinpoint obfuscated code

Obfuscation Detection (v1.0) Author: Tim Blazytko Automatically detect control-flow flattening and other state machines Description: Scripts and binar

Tim Blazytko 230 Nov 26, 2022
Galvanalyser is a system for automatically storing data generated by battery cycling machines in a database
Galvanalyser is a system for automatically storing data generated by battery cycling machines in a database

Galvanalyser is a system for automatically storing data generated by battery cycling machines in a database, using a set of "harvesters", whose job it

Battery Intelligence Lab 20 Sep 28, 2022
Generate obfuscated meterpreter shells

Generator Evade AV with obfuscated payloads Installation must install dotnet prior to running the script with net45 Running ./generator.py -ip Your-I

Fawaz Al-Mutairi 219 Nov 28, 2022
MODeflattener deobfuscates control flow flattened functions obfuscated by OLLVM using Miasm.
MODeflattener deobfuscates control flow flattened functions obfuscated by OLLVM using Miasm.

MODeflattener deobfuscates control flow flattened functions obfuscated by OLLVM using Miasm.

Suraj Malhotra 138 Jan 7, 2023
OLOP: One-Line & Obfuscated Python

OLOP: One-Line & Obfuscated Python This repository contains useful python modules for one-line and obfuscated python. pip install olop-ShadowLugia650

null 1 Jan 9, 2022
We evaluate our method on different datasets (including ShapeNet, CUB-200-2011, and Pascal3D+) and achieve state-of-the-art results, outperforming all the other supervised and unsupervised methods and 3D representations, all in terms of performance, accuracy, and training time.
We evaluate our method on different datasets (including ShapeNet, CUB-200-2011, and Pascal3D+) and achieve state-of-the-art results, outperforming all the other supervised and unsupervised methods and 3D representations, all in terms of performance, accuracy, and training time.

An Effective Loss Function for Generating 3D Models from Single 2D Image without Rendering Papers with code | Paper Nikola Zubić Pietro Lio University

Nikola Zubić 213 Dec 27, 2022
A discord bot that can detect Nitro Scam Links and delete them to protect other users
A discord bot that can detect Nitro Scam Links and delete them to protect other users

A discord bot that can detect Nitro Scam Links and delete them to protect other users. Add it to your server from here.

Kanak Mittal 9 Oct 20, 2022
A tool combining EasyOCR and LaMa to automatically detect text and replace it with an inpainted background.
A tool combining EasyOCR and LaMa to automatically detect text and replace it with an inpainted background.

EasyLaMa (WIP) This is a tool combining EasyOCR and LaMa to automatically detect text and replace it with an inpainted background. Installation For GP

null 3 Sep 17, 2022
Periodically check the manuscript state in the scholar one system and send email when finding a new state.

ScholarOne-manuscript-checker Periodically check the manuscript state in the scholar one system and send email when finding a new state. Parameters ne

null 2 Aug 18, 2022
A simple voice detection system which can be applied practically for designing a device with capability to detect a baby’s cry and automatically turning on music

Auto-Baby-Cry-Detection-with-Music-Player A simple voice detection system which can be applied practically for designing a device with capability to d

null 2 Dec 15, 2021
Automatically detect changes made to the official Telegram sites.
Automatically detect changes made to the official Telegram sites.

🕷 Telegram Web Crawler This project is developed to automatically detect changes made to the official Telegram sites. This is necessary for anticipat

Il'ya 115 Dec 31, 2022
Customised to detect objects automatically by a given model file(onnx)
Customised to detect objects automatically by a given model file(onnx)

LabelImg LabelImg is a graphical image annotation tool. It is written in Python and uses Qt for its graphical interface. Annotations are saved as XML

Heeone Lee 1 Jun 7, 2022
TensorFlowTTS: Real-Time State-of-the-art Speech Synthesis for Tensorflow 2 (supported including English, Korean, Chinese, German and Easy to adapt for other languages)

🤪 TensorFlowTTS provides real-time state-of-the-art speech synthesis architectures such as Tacotron-2, Melgan, Multiband-Melgan, FastSpeech, FastSpeech2 based-on TensorFlow 2. With Tensorflow 2, we can speed-up training/inference progress, optimizer further by using fake-quantize aware and pruning, make TTS models can be run faster than real-time and be able to deploy on mobile devices or embedded systems.

null 3k Jan 4, 2023
Comments
  • dict_keys error.

    dict_keys error.

    while using it against themida hanhelds , i got this :

    func_list = list(reversed(sorted_functions.keys()))[:bound] if partial else list(reversed(sorted_functions.keys()))
TypeError: 'dict_keys' object is not reversible
    bug 
    opened by ghost 2
Releases(v1.7)

  • v1.7(Mar 20, 2022)

  • v1.6(Feb 19, 2022)

    What's Changed

    • Refactor plugin handler
      • Removed duplicate banner print
      • Changed PLUGIN_FIX to PLUGIN_HIDE, user can just use Ctrl-Shift-H
    • Code cleanup in https://github.com/mcdulltii/obfDetect/pull/5

    Full Changelog: https://github.com/mcdulltii/obfDetect/compare/v1.5...v1.6

    Source code(tar.gz)
    Source code(zip)

  • v1.5(Sep 6, 2021)

    GUI Implementation

    GUI Features:

    • QTable Heuristic result view
    • Node limiting
    • Single/All function heuristic search
    • Heuristic result export

    Heuristic Features:

    • Control-Flow Flattening
    • Cyclomatic Complexity
    • Basic Block Size
    • Instruction Overlapping
    Source code(tar.gz)
    Source code(zip)
    obfDetect.zip(81.64 KB)

  • v1.4(Aug 29, 2021)

Owner
Aaron
A programming enthusiast that does image synthesis on the side.
Aaron
GitHub Repository
Run context-aware commands from your source code comments

Run context-aware commands from your source code comments. Codeline allows you to run custom commands directly from source-code comments, combining th

Rory Byrne 32 Nov 09, 2021
A comfy custom IDE where you can feel right at home

reZIDE a comfy custom IDE where you can feel right at home 🏡 Use simple, declarative configuration files to create complex IDEs with a single command

Zach 7 Jan 26, 2022
Gaphor is a UML and SysML modeling application written in Python.

Gaphor is a UML and SysML modeling application written in Python. It is designed to be easy to use, while still being powerful. Gaphor implements a fully-compliant UML 2 data model, so it is much mor

Gaphor 1.3k Jan 07, 2023
💻 Open recent VS Code folders and files using Ulauncher

ulauncher-vscode-recent 💻 Open recent VS Code folders and files using Ulauncher. Quickly open recently-opened VS Code project directories and files.

Mihir Chaturvedi 14 Nov 24, 2022
cottonformation is a Python tool providing best development experience and highest productivity

Welcome to cottonformation Documentation Full Documentatioin Here cottonformation is a Python tool providing best development experience and highest p

Sanhe 6 Jul 08, 2022
pyiron - an integrated development environment (IDE) for computational materials science.

pyiron pyiron - an integrated development environment (IDE) for computational materials science. It combines several tools in a common platform: Atomi

pyiron 20 Dec 22, 2022
Joy is a tiny creative coding library in Python.

Joy Joy is a tiny creative coding library in Python. Installation The easiest way to install it is download joy.py and place it in your directory. The

FOSS United Foundation 181 Dec 04, 2022
Kite IntelliJ plugin

Handbook Supported platforms The Kite plugin supports the following environments: PyCharm Community PyCharm Professional IntelliJ Community with the P

Kite 57 Dec 23, 2022
Python Indent - Correct python indentation in Visual Studio Code.

Python Indent Correct python indentation in Visual Studio Code. See the extension on the VSCode Marketplace and its source code on GitHub. Please cons

Kevin Rose 57 Dec 15, 2022
VSCode Development Container Template

VSCode Development Container Template This template enables you to use a full-fledged containerized development environment for your machine learning

Paige Bailey 10 Oct 10, 2022
Multi-user server for Jupyter notebooks

Technical Overview | Installation | Configuration | Docker | Contributing | License | Help and Resources Please note that this repository is participa

JupyterHub 7k Jan 02, 2023
Integrate clang-format with Sublime Text

Sublime Text Clang Format Plugin This is a minimal plugin integrating clang-format with Sublime Text, with emphasis on the word minimal. It is not rea

Jon Palmisciano 1 Dec 17, 2021
Live coding in Python with PyCharm, Emacs, Sublime Text, or even a browser

Live Coding in Python Visualize your Python code while you type it in PyCharm, Emacs, Sublime Text, or even your browser. To see how to use one of the

Don Kirkby 256 Dec 14, 2022
ROS2 Docker tutorial with VSCode

ROS2-Docker-tutorial I made this repository using athackst/vscode_ros2_workspace templete with foxy-nvidia branch. You could see more information abov

Tae Young Kim 4 Nov 03, 2022
An amazing simple Python IDE for developers!

PyHub An amazing simple Python IDE for developers! Get ready to compile and run your code in the most simplest and easiest IDE of the ancient world! T

Aniket Bhattacharjee 2 Dec 31, 2022
Jarvide - A powerful AI mixed with a powerful IDE.

Jarvide About Jarvide Welcome to Jarvide. A powerful AI mixed with a powerful ID

Caeden 23 Oct 28, 2022
Python 3 patcher for Sublime Text v4107-4114 Windows x64

sublime-text-4-patcher Python 3 patcher for Sublime Text v4107-4114 Windows x64 Credits for signatures and patching logic goes to https://github.com/l

187 Dec 27, 2022
Spyder - The Scientific Python Development Environment

Spyder is a powerful scientific environment written in Python, for Python, and designed by and for scientists, engineers and data analysts. It offers a unique combination of the advanced editing, ana

Spyder IDE 7.3k Jan 08, 2023
VSCode extension to sort and refactor python imports using reorder-python-imports.

reorder-python-imports VSCode extension to sort and refactor python imports using reorder-python-imports. Unlike other import organizers, reorder-pyth

Ryan Butler 3 Aug 26, 2022
Python IDE or notebook to generate a basic Kepler.gl data visualization

geospatial-data-analysis [readme] Use this code in your Python IDE or notebook to generate a basic Kepler.gl data visualization, without pre-configura

2 Sep 05, 2022