Function Identification and Recovery Signature Tool

  • Angel Villegas
DOI: https://doi.org/10.18464/cybin.v2i1.14

Abstract

Reverse Engineering benign or malicious samples can take a considerable amount of time and new samples are created at an alarming rate. Leveraging disassemblers, like IDA Pro, a reverse engineer can analyze the same routines across several samples over the lifetime of their career. Their knowledge is not easily transferred to similar samples or functions for themselves or others.
In particular we can consider the problem code reuse has on reversing efforts, whether it is via statically-linked libraries or integrating existing software. In this paper we want to provide a solution for transferring knowledge to similar functions by introducing a new reverse engineering tool, named FIRST (Function Identification and Recovery Signature Tool), to reduce analysis time and enable information sharing.

References

P. Amini, "IDA Sync," https://github.com/nihilus/ida-sync-plugin

C. Eagle, "CollabREate," The IDA Pro Book, chapter 23, http://www.idabook.com/collabreate/.

S. Porst, "ShaREing is Caring - Announcing the free BinCrowd community server," Zynamics Blog, https://blog.zynamics.com/2010/03/25/shareing-is-caring-announcing-the-free-bincrowd-community-server/

B. Edwards and A Portnoy, "Toolbag" Recon 2012, https://recon.cx/2012/schedule/events/250.en.html

M. Gaasedelen and N. Burnett, "Sol[IDA]rity," https://solidarity.re

A. Meyers, "CrowdRE: Alpha++ Release," CrowdStrike Blog, https://www.crowdstrike.com/blog/crowdre-alpha-release/

Xorpd, "FCatalog," http://www.xorpd.net/pages/fcatalog.html

S. H. H. Ding, B. C. M. Fung, and P. Charland, "Kam1n0: MapReduce-based Assembly Clone Search for Reverse Engineering," In Proceedings of the 22nd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (KDD '16), p. 461-470.

Cover Botconf 2016
Published
2017-04-02
Issue
Vol 2 No 1 (2016)
Section
Conference short papers

Copyright (c) Angel Villegas

Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.

Authors who publish with this journal agree to the following terms:

  • Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons Attribution License that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.
  • Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.