Automatically detect obfuscated code and other state machines

Related tags

IDEidaida-proida-pluginidapythonidapython-pluginobfuscation-detection
Overview

Obfuscation Detection

Authored by: Tim Blazytko

Adapted by: mcdulltii

Automatically detect obfuscated code and other state machines

Description:

Scripts to automatically detect obfuscated code and state machines in binaries.

Implementation is based on IDA 7.4+ (Python3). Check out the following blog posts for more information on the Binary Ninja implementation:

Note:

Due to the recursive nature of plotting a dominator tree of every found function within the binary, the implementation and runtime overhead is expensive, though threading has been implemented.

MAX_FUNCTIONS = 50
MAX_NODES = 50
# --- snipped ---
if sum([1 for _ in idautils.Functions()]) > MAX_FUNCTIONS:
    detect.partial_heur()
else:
    detect.all_heur()
# --- snipped ---
if sum([1 for _ in FlowChart(get_func(ea))]) > MAX_NODES:
    pass

For more details on partial_heur() and all_heur():

all_heur() calls all heuristic functions on the binary, then prints an output of the heuristics of all functions within the binary.

partial_heur() calls all heuristic functions on the binary, then prints an output of the heuristics of the top 10% (or bounded by MAX_FUNCTIONS) functions within the binary.

Instruction overlapping heuristic algorithm makes use of mcsema disassembly code to follow jmp and call instructions for better coverage.

Since the script uses the IDA API, any functions that are missed by IDA will likely not be detected.

Usage

Copy the obfDetect directory and obfDetect.py into the IDA Plugins directory.

When IDA has successfully finished loading a binary, the script will print out its banner into the IDC/Python console. If not, the script can be re-loaded using alt-E and selecting it within the plugin dropdown.

The script can be run via the File toolbar as shown below. Alternatively, Ctrl-Shift-H.

Toolbar

Examples

  • A small binary with 2 scanned functions

all_heur

  • Resilience test using a large binary obfuscated using O-LLVM

partial_heur

  • Instruction overlapping heuristic detection

instruction overlap

Todo

You might also like...
A way to integrate Latex, VSCode, and Inkscape in macOS. Adopted the whole workflow from Gilles Castel.
A way to integrate Latex, VSCode, and Inkscape in macOS. Adopted the whole workflow from Gilles Castel.

VSCode-LaTeX-Inkscape A way to integrate LaTeX, VSCode, and Inkscape in macOS Abstract I use LaTeX heavily in past two years for both academic work an

Pingbang Hu 62 Dec 14, 2022
A tool used to obfuscate python scripts, bind obfuscated scripts to fixed machine or expire obfuscated scripts.

PyArmor Homepage (中文版网站) Documentation(中文版) PyArmor is a command line tool used to obfuscate python scripts, bind obfuscated scripts to fixed machine

Dashingsoft 1.9k Jan 1, 2023
A tool used to obfuscate python scripts, bind obfuscated scripts to fixed machine or expire obfuscated scripts.

PyArmor Homepage (中文版网站) Documentation(中文版) PyArmor is a command line tool used to obfuscate python scripts, bind obfuscated scripts to fixed machine

Dashingsoft 1.9k Dec 30, 2022
High performance, easy-to-use, and scalable machine learning (ML) package, including linear model (LR), factorization machines (FM), and field-aware factorization machines (FFM) for Python and CLI interface.
High performance, easy-to-use, and scalable machine learning (ML) package, including linear model (LR), factorization machines (FM), and field-aware factorization machines (FFM) for Python and CLI interface.

What is xLearn? xLearn is a high performance, easy-to-use, and scalable machine learning package that contains linear model (LR), factorization machin

Chao Ma 3k Jan 3, 2023
High performance, easy-to-use, and scalable machine learning (ML) package, including linear model (LR), factorization machines (FM), and field-aware factorization machines (FFM) for Python and CLI interface.
High performance, easy-to-use, and scalable machine learning (ML) package, including linear model (LR), factorization machines (FM), and field-aware factorization machines (FFM) for Python and CLI interface.

What is xLearn? xLearn is a high performance, easy-to-use, and scalable machine learning package that contains linear model (LR), factorization machin

Chao Ma 2.8k Feb 12, 2021
High performance, easy-to-use, and scalable machine learning (ML) package, including linear model (LR), factorization machines (FM), and field-aware factorization machines (FFM) for Python and CLI interface.
High performance, easy-to-use, and scalable machine learning (ML) package, including linear model (LR), factorization machines (FM), and field-aware factorization machines (FFM) for Python and CLI interface.

What is xLearn? xLearn is a high performance, easy-to-use, and scalable machine learning package that contains linear model (LR), factorization machin

Chao Ma 3k Jan 8, 2023
Collection of scripts to pinpoint obfuscated code

Obfuscation Detection (v1.0) Author: Tim Blazytko Automatically detect control-flow flattening and other state machines Description: Scripts and binar

Tim Blazytko 230 Nov 26, 2022
Galvanalyser is a system for automatically storing data generated by battery cycling machines in a database
Galvanalyser is a system for automatically storing data generated by battery cycling machines in a database

Galvanalyser is a system for automatically storing data generated by battery cycling machines in a database, using a set of "harvesters", whose job it

Battery Intelligence Lab 20 Sep 28, 2022
Generate obfuscated meterpreter shells

Generator Evade AV with obfuscated payloads Installation must install dotnet prior to running the script with net45 Running ./generator.py -ip Your-I

Fawaz Al-Mutairi 219 Nov 28, 2022
MODeflattener deobfuscates control flow flattened functions obfuscated by OLLVM using Miasm.
MODeflattener deobfuscates control flow flattened functions obfuscated by OLLVM using Miasm.

MODeflattener deobfuscates control flow flattened functions obfuscated by OLLVM using Miasm.

Suraj Malhotra 138 Jan 7, 2023
OLOP: One-Line & Obfuscated Python

OLOP: One-Line & Obfuscated Python This repository contains useful python modules for one-line and obfuscated python. pip install olop-ShadowLugia650

null 1 Jan 9, 2022
We evaluate our method on different datasets (including ShapeNet, CUB-200-2011, and Pascal3D+) and achieve state-of-the-art results, outperforming all the other supervised and unsupervised methods and 3D representations, all in terms of performance, accuracy, and training time.
We evaluate our method on different datasets (including ShapeNet, CUB-200-2011, and Pascal3D+) and achieve state-of-the-art results, outperforming all the other supervised and unsupervised methods and 3D representations, all in terms of performance, accuracy, and training time.

An Effective Loss Function for Generating 3D Models from Single 2D Image without Rendering Papers with code | Paper Nikola Zubić Pietro Lio University

Nikola Zubić 213 Dec 27, 2022
A discord bot that can detect Nitro Scam Links and delete them to protect other users
A discord bot that can detect Nitro Scam Links and delete them to protect other users

A discord bot that can detect Nitro Scam Links and delete them to protect other users. Add it to your server from here.

Kanak Mittal 9 Oct 20, 2022
A tool combining EasyOCR and LaMa to automatically detect text and replace it with an inpainted background.
A tool combining EasyOCR and LaMa to automatically detect text and replace it with an inpainted background.

EasyLaMa (WIP) This is a tool combining EasyOCR and LaMa to automatically detect text and replace it with an inpainted background. Installation For GP

null 3 Sep 17, 2022
Periodically check the manuscript state in the scholar one system and send email when finding a new state.

ScholarOne-manuscript-checker Periodically check the manuscript state in the scholar one system and send email when finding a new state. Parameters ne

null 2 Aug 18, 2022
A simple voice detection system which can be applied practically for designing a device with capability to detect a baby’s cry and automatically turning on music

Auto-Baby-Cry-Detection-with-Music-Player A simple voice detection system which can be applied practically for designing a device with capability to d

null 2 Dec 15, 2021
Automatically detect changes made to the official Telegram sites.
Automatically detect changes made to the official Telegram sites.

🕷 Telegram Web Crawler This project is developed to automatically detect changes made to the official Telegram sites. This is necessary for anticipat

Il'ya 115 Dec 31, 2022
Customised to detect objects automatically by a given model file(onnx)
Customised to detect objects automatically by a given model file(onnx)

LabelImg LabelImg is a graphical image annotation tool. It is written in Python and uses Qt for its graphical interface. Annotations are saved as XML

Heeone Lee 1 Jun 7, 2022
TensorFlowTTS: Real-Time State-of-the-art Speech Synthesis for Tensorflow 2 (supported including English, Korean, Chinese, German and Easy to adapt for other languages)

🤪 TensorFlowTTS provides real-time state-of-the-art speech synthesis architectures such as Tacotron-2, Melgan, Multiband-Melgan, FastSpeech, FastSpeech2 based-on TensorFlow 2. With Tensorflow 2, we can speed-up training/inference progress, optimizer further by using fake-quantize aware and pruning, make TTS models can be run faster than real-time and be able to deploy on mobile devices or embedded systems.

null 3k Jan 4, 2023
Comments
  • dict_keys error.

    dict_keys error.

    while using it against themida hanhelds , i got this :

    func_list = list(reversed(sorted_functions.keys()))[:bound] if partial else list(reversed(sorted_functions.keys()))
TypeError: 'dict_keys' object is not reversible
    bug 
    opened by ghost 2
Releases(v1.7)

  • v1.7(Mar 20, 2022)

  • v1.6(Feb 19, 2022)

    What's Changed

    • Refactor plugin handler
      • Removed duplicate banner print
      • Changed PLUGIN_FIX to PLUGIN_HIDE, user can just use Ctrl-Shift-H
    • Code cleanup in https://github.com/mcdulltii/obfDetect/pull/5

    Full Changelog: https://github.com/mcdulltii/obfDetect/compare/v1.5...v1.6

    Source code(tar.gz)
    Source code(zip)

  • v1.5(Sep 6, 2021)

    GUI Implementation

    GUI Features:

    • QTable Heuristic result view
    • Node limiting
    • Single/All function heuristic search
    • Heuristic result export

    Heuristic Features:

    • Control-Flow Flattening
    • Cyclomatic Complexity
    • Basic Block Size
    • Instruction Overlapping
    Source code(tar.gz)
    Source code(zip)
    obfDetect.zip(81.64 KB)

  • v1.4(Aug 29, 2021)

Owner
Aaron
A programming enthusiast that does image synthesis on the side.
Aaron
GitHub Repository
A way to integrate Latex, VSCode, and Inkscape in macOS. Adopted the whole workflow from Gilles Castel.

VSCode-LaTeX-Inkscape A way to integrate LaTeX, VSCode, and Inkscape in macOS Abstract I use LaTeX heavily in past two years for both academic work an

Pingbang Hu 62 Dec 14, 2022
Multi-user server for Jupyter notebooks

Technical Overview | Installation | Configuration | Docker | Contributing | License | Help and Resources Please note that this repository is participa

JupyterHub 7k Jan 02, 2023
Spyder - The Scientific Python Development Environment

Spyder is a powerful scientific environment written in Python, for Python, and designed by and for scientists, engineers and data analysts. It offers a unique combination of the advanced editing, ana

Spyder IDE 7.3k Jan 08, 2023
VSCode extension to sort and refactor python imports using reorder-python-imports.

reorder-python-imports VSCode extension to sort and refactor python imports using reorder-python-imports. Unlike other import organizers, reorder-pyth

Ryan Butler 3 Aug 26, 2022
Automatically detect obfuscated code and other state machines

Scripts to automatically detect obfuscated code and state machines in binaries.

Aaron 110 Dec 04, 2022
A Python code editor that looks like GNU Emacs.

🚧 WARNING 🚧 : Under development... Testing is not recommended! Welcome to Snake Editor! Hi! This is our repository, we are here to present our new p

Marcio Dantas 5 May 20, 2022
cottonformation is a Python tool providing best development experience and highest productivity

Welcome to cottonformation Documentation Full Documentatioin Here cottonformation is a Python tool providing best development experience and highest p

Sanhe 6 Jul 08, 2022
Kite IntelliJ plugin

Handbook Supported platforms The Kite plugin supports the following environments: PyCharm Community PyCharm Professional IntelliJ Community with the P

Kite 57 Dec 23, 2022
Mu - A Simple Python Code Editor

A small, simple editor for beginner Python programmers. Written in Python and Qt5.

Mu 1.2k Jan 03, 2023
Wasm powered Jupyter running in the browser 💡

JupyterLite JupyterLite is a JupyterLab distribution that runs entirely in the browser built from the ground-up using JupyterLab components and extens

JupyterLite 3k Jan 04, 2023
Run context-aware commands from your source code comments

Run context-aware commands from your source code comments. Codeline allows you to run custom commands directly from source-code comments, combining th

Rory Byrne 32 Nov 09, 2021
A GitHub Action hosted Python IDE!

What is this ? This is an IDE running on GitHub Actions which can help in..... Running small snippets. Running codes whenever PC is not available and

Jainam Oswal 21 Nov 09, 2022
Integrate clang-format with Sublime Text

Sublime Text Clang Format Plugin This is a minimal plugin integrating clang-format with Sublime Text, with emphasis on the word minimal. It is not rea

Jon Palmisciano 1 Dec 17, 2021
Joy is a tiny creative coding library in Python.

Joy Joy is a tiny creative coding library in Python. Installation The easiest way to install it is download joy.py and place it in your directory. The

FOSS United Foundation 181 Dec 04, 2022
Launch a ready-to-code Wagtail Live development environment with a single click.

Wagtail Live Gitpod Launch a ready-to-code Wagtail Live development environment with a single click. Steps: Click the Open in Gitpod button. Relax: a

Coen van der Kamp 6 Oct 29, 2021
A comfy custom IDE where you can feel right at home

reZIDE a comfy custom IDE where you can feel right at home 🏡 Use simple, declarative configuration files to create complex IDEs with a single command

Zach 7 Jan 26, 2022
An echo kernel for JupyterLite

jupyterlite-echo-kernel An echo kernel for JupyterLite. Requirements JupyterLite = 0.1.0a10 Install To install the extension, execute: pip install ju

JupyterLite 7 Dec 07, 2022
Live coding in Python with PyCharm, Emacs, Sublime Text, or even a browser

Live Coding in Python Visualize your Python code while you type it in PyCharm, Emacs, Sublime Text, or even your browser. To see how to use one of the

Don Kirkby 256 Dec 14, 2022
Python IDE or notebook to generate a basic Kepler.gl data visualization

geospatial-data-analysis [readme] Use this code in your Python IDE or notebook to generate a basic Kepler.gl data visualization, without pre-configura

2 Sep 05, 2022
A Sublime Text package that allows a user to view all the available core/plugin commands for Sublime Text and Sublime Merge, along with their documentation/source.

CommandsBrowser A Sublime Text package that allows a user to view all the available core/plugin commands for Sublime Text and Sublime Merge, along wit

Sublime Instincts 26 Nov 15, 2022