Vol. 2 No. 1 (2016): Proceedings of Botconf 2016
Conference short papers

Function Identification and Recovery Signature Tool

PDF
  • Angel M. Villegas
Angel M. Villegas
CISCO Talos

Published 2017-04-02

Keywords

  • FIRST,
  • Reverse engineering,
  • Disassembly analysis,
  • Code reuse

Copyright (c) 2017 Angel M. Villegas (Author)

Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.

How to Cite

Villegas, A. M. (2017). Function Identification and Recovery Signature Tool. The Journal on Cybercrime and Digital Investigations, 2(1), 15-19. https://doi.org/10.18464/cybin.v2i1.14

Download Citation

Abstract

Reverse Engineering benign or malicious samples can take a considerable amount of time and new samples are created at an alarming rate. Leveraging disassemblers, like IDA Pro, a reverse engineer can analyze the same routines across several samples over the lifetime of their career. Their knowledge is not easily transferred to similar samples or functions for themselves or others.
In particular we can consider the problem code reuse has on reversing efforts, whether it is via statically-linked libraries or integrating existing software. In this paper we want to provide a solution for transferring knowledge to similar functions by introducing a new reverse engineering tool, named FIRST (Function Identification and Recovery Signature Tool), to reduce analysis time and enable information sharing.

 

PDF

References

  1. P. Amini, "IDA Sync," https://github.com/nihilus/ida-sync-plugin
  2. C. Eagle, "CollabREate," The IDA Pro Book, chapter 23, http://www.idabook.com/collabreate/.
  3. S. Porst, "ShaREing is Caring - Announcing the free BinCrowd community server," Zynamics Blog, https://blog.zynamics.com/2010/03/25/shareing-is-caring-announcing-the-free-bincrowd-community-server/
  4. B. Edwards and A Portnoy, "Toolbag" Recon 2012, https://recon.cx/2012/schedule/events/250.en.html
  5. M. Gaasedelen and N. Burnett, "Sol[IDA]rity," https://solidarity.re
  6. A. Meyers, "CrowdRE: Alpha++ Release," CrowdStrike Blog, https://www.crowdstrike.com/blog/crowdre-alpha-release/
  7. Xorpd, "FCatalog," http://www.xorpd.net/pages/fcatalog.html
  8. S. H. H. Ding, B. C. M. Fung, and P. Charland, "Kam1n0: MapReduce-based Assembly Clone Search for Reverse Engineering," In Proceedings of the 22nd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (KDD '16), p. 461-470.