Clone wiki

virusbattle-sdk / Processing Steps

PROCESSING STEPS

The following diagram represents the flow of computation on VirusBattle server.

process-architecture.jpg

When a file is uploaded VirusBattle places the file in the Upload queue, if the file is not already in the database (or if a "--force" upload is requested). A Dispatch process reads the queue, determines the type of file, and pass it to the appropriate handler. An archive file is sent to the Archive Handler, a Windows PE32 executable to the Binary Handler, and other files to an Unknown File Hander (not represented in the diagram).

The Archive Handler decompresses an archive, walks through the directory to find files and internally 'uploads' them. This leads to recursively decompressing nested archives and it also puts all the enclosed Windows PE32 executables in the Unpack Queue and the Juice Queue for processing.

The Unpacker module unpacks binaries in the Unpack queue, and if successful, stores the result in the Virus Battle Mongo database. It also places the unpacked file generated in the Juice queue.

The Juice module uses UL Lafayette's patent pending BinJuice technology to perform semantic reverse engineering of binaries, both uploaded and generated by the unpacker. Upon completion of this step, the system computes a variety of hashes and generates indexes for connecting a malware binary to other binaries with semantically similar code. The data is stored in the Virus Battle Mongo database.

A download request is handled directly by the web server. It retrieves unpacked files from the database and returns to the user. The query requests are handled by the Query module. It retrieves and returns the appropriate information requested.

Updated