1. SRL Avatar SRL
  2. Default Project
  3. virusbattle-sdk

Wiki

Clone wiki

virusbattle-sdk / APIFlowGraph

View History

Getting Started

Accessing VirusBattle requires downloading and setting up the VirusBattle SDK. See Installation, Setup, Registration to setup.

APIFlowGraph with VirusBattle

VirusBattle provides several fully automated semantic reverse engineering service. The service that extracts APIFlowGraph is called srlStatic. APIFlowGraph is a directed graph with nodes representing apicallsites and a directed edge from apicallsite A to B implying there exists an inter-procedural-ly valid path in the callgraph where a call from site A follows a call from site B, with no intermediate call to any API. To extract APIFlowGraph from x86 binary, all you need to do is upload PE-32 executable either as is and or as part of compressed archive. Wait for a few seconds, and download the result files.

Uploading to VirusBattle

See Uploading Files for a detailed HowTo. The easiest way to upload to VirusBattle is: 

    vbclient.py -a upload <path to file>

Checking Status

To find out if the uploaded file has been processed or not:

    vbclient.py -a status <sha1 of uploaded file>

You may also want to use the Query option for details

    vbclient.py -a query <sha1 of uploaded file>

Downloading APIFlowGraph File

To download results of VirusBattle, use the Download action:

    vbclient.py -a download <sha1 of uploaded file>

This downloads VirusBattle service result files in the ./Results folder. To avoid download of results from other services-srlJuice, etc., set the appropriate VIRUSBATTLE_SERVICE_FILTER as described below.

Generate Mapping between PE File and APIFlowGraph File

To generate service maps, use the map action:

    vbclient.py -a map <sha1 of uploaded file>

This creates csv map files ./Results directory containing original_file_sha1,result_file_sha1. In case of srlStatic Service, the service produces 3 output files: Callgraphh, APIFlowGraph and Strings. This makes making sense of the map file tricky. The files are named as result_file_sha1.callgraph.dot, result_file_sha1.apiflowgraph.json, result_file_sha1.strings.json. This is helpful, but still difficult. We recommend processing the vb-srlStatic.map file produced by above command in the ./Results directory where you also downloaded the srlStatic result files, as follows:

    VB_APIFLOWGRAPH_FILES=`ls|grep apiflowgraph|awk -F. -vORS='\\\|' '{print $1}'|head -c -2`
    cat vb-srlStatic.map | grep $VB_APIFLOWGRAPH_FILES > vb-apiflowgraph.map

Filter Other Services

If you are only interested in results from this service, and want to filter out results from other VirusBattle services- srlUnpacker, srlJuice, srlSimService etc., you can filter them out setting the appropriate value for the VIRUSBATTLE_SERVICE_FILTER environment variable.

    export VIRUSBATTLE_SERVICE_FILTER="srlUnpacker,srlSimService,srlJuice"

The variable accepts a case-sensitive, comma separated list of service names to filter out. You can filter out as many, or as few services as you choose.

See Also

Updated