Visual Reverse Engineering of Binary and Data Files
The analysis of computer files poses a difficult problem for security researchers seeking to detect and analyze malicious content, software developers stress testing file formats for their products, and for other researchers seeking to understand the behavior and structure of undocumented file formats. Traditional tools, including hex editors, disassemblers and debuggers, while powerful, constrain analysis to primarily text based approaches. In this paper, we present design principles for file analysis which support meaningful investigation when there is little or no knowledge of the underlying file format, but are flexible enough to allow integration of additional semantic information, when available. We also present results from the implementation of a visual reverse engineering system based on our analysis. We validate the efficacy of both our analysis and our system with case studies depicting analysis use cases where a hex editor would be of limited value. Our results indicate that visual approaches help analysts rapidly identify files, analyze unfamiliar file structures, and gain insights that inform and complement the current suite of tools currently in use.
Unable to display preview. Download preview PDF.
- 1.Conti, G., Grizzard, J., Ahamad, M., Owen, H.: Visual Exploration of Malicious Network Objects Using Semantic Zoom, Interactive Encoding and Dynamic Queries. In: IEEE Symposium on Information Visualization’s Workshop on Visualization for Computer Security (VizSEC) (October 2005)Google Scholar
- 2.Helfman, J.: Dotplot Patterns: A Literal Look at Pattern Languages. TAPOS Journal 2(1), 31–41 (1995)Google Scholar
- 3.Kaminsky, D.: Black Ops 2006. Blackhat USA (2006) (last accessed December 20, 2007), www.doxpara.com/slides/dmk_blackops2006.ppt
- 4.Yoo, I.: Visualizing Windows Executable Viruses Using Self-Organizing Maps. VizSec/DMSec (2004)Google Scholar
- 5.Carrera, E., Erdelyi, G.: Digital Genome Mapping – Advanced Binary Malware Analysis. In: Virus Bulletin Conference (2004)Google Scholar
- 6.Flake., H.: Structural Comparison of Executable Objects. Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), pp. 161–173 (2004)Google Scholar
- 7.A different look at Bagle. F-Secure Weblog (23 September 2005) (last accessed December 20, 2007), http://www.f-secure.com/weblog/archives/00000662.html
- 8.Graphing malware. F-Secure Weblog (25 October 2005) (last accessed December 20, 2007), http://www.f-secure.com/weblog/archives/00000324.html
- 9.Dullien, T., Rolles, R.: Graph-based comparison of Executable Objects. In: Symposium Sur La Securite Des Technologies De L’Information Et Des Communications (SSTIC) (2005)Google Scholar
- 10.Flake, H.: Diff, Navigate, Audit – Three applications of graphs and graphing for security, Blackhat USA (2004) (last accessed December 20, 2007), http://www.blackhat.com/presentations/bh-usa-04/bh-us-04-flake.pdf
- 11.Nolan, B., Sinda, M.: File Visualization Environment (FiVE). In: National Conference on Undergraduate Research (2008)Google Scholar
- 12.Kaminsky, D.: Black Ops 2006 : Viz Edition. Chaos Computer Congress (2006) (last accessed May 1, 2008), www.doxpara.com/slides/dmk_blackops2006_ccc.ppt
- 13.Sutton, M., Greene, A., Amini, P.: Fuzzing: Brute Force Vulnerability Discovery. Addison-Wesley, Reading (2007)Google Scholar