Skip to content

2-creating-a-tutorial-on-static-binary-analysis-jhcheng created by GitHub Classroom

License

Notifications You must be signed in to change notification settings

senselab/2-creating-a-tutorial-on-static-binary-analysis-jhcheng

Repository files navigation

A Tutorial on Static Binary Analysis Tools

Given an unknown malware sample, it will first go through a classification process to determine if it is related to a known malware family. If the classification does not return any useful information, then a manual inspection will be needed.

For classification, one famous tool is the YARA identification and classification engine. Using YARA, you can create rules that detect strings, instruction sequences, regular expressions, byte patterns, etc. You can then scan files unsing the command-line yara utility or integrate the scanning engine into your own C or python tools with YARA's API.

The manual inspection is more complicated. In the end, it may require binary reverse engineering on the sample, which usually involves the use of disassembly tools such as IDA Pro and various analysis toolkits such as BinDiff. For disassembly, one famous open source tool is Ghidra from National Security Agency. It also works with BinDiff via the Ghidra BinExport extension.

In this project, please prepare a tutorial on the installation and usage of YARA, Ghidra, and BinDiff.

In the tutorial, you should give examples showing

  • Creation of YARA rules to look for files containing specific strings (e.g., *.facebook.com)
  • Disassembly and decompilation of binary executables
  • Use of BinDiff to tell if two binaries contain similar code pieces (for instance, you can use BinDiff to compare a binary executable with a known library to see if the unknown executable uses a specific library)

If you need malware samples for your tutorial, here are some possible sources

About

2-creating-a-tutorial-on-static-binary-analysis-jhcheng created by GitHub Classroom

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published