Clone wiki

virusbattle-sdk / Reverse Engineering

VirusBattle uses VM introspection to observe malware execution at a level below ring 0. The intricate knowledge of Windows Internals is in-built the system to monitor the malware's interaction with the Operating System as it is executing. This is followed by a rigorous static analysis of the original code, as well as, that of runtime generated code extracted during the execution.

VirusBattle's static analysis engine performs a variety of analyses. The most important to reverse engineers being the BinJuice analysis. Juice is an abstraction over semantics that can be computed and compared in a fast and scalable fashion.

Given a binary executable, in about a minute, VirusBattle can calculate juice of all procedures in the binary and find out known procedures in the database which are semantically equivalent to procedures in the given binary. Users then have access to all the information and notes of reversers who have worked on the procedure before, leaving only the unique, never-seen-before, procedures to be reversed. This reduces the workload by orders of magnitude. proc-sharing.jpeg

Propagating information from procedure to another juice equivalent procedure has interesting advantages. For instance, IDA more often than not, misses to identify library procedures. Reverse engineers thus often end up spending time reversing a library procedure which can be avoided.

Below image shows percentage of library procedures as identified by IDA followed by those identified by VirusBattle by just propagating IDA isLibrary tag information across juice-equivalent procedures. image004.png image005.png

The above is just a glimpse of what can be achieved by propagating information across equivalent procedures. One can also throw in labelled open source code and propagate information from them to similar equivalent procedures in malware and use the labels to guide a reverse engineer trying to understand the malware behaviors.

To better aid in understanding new malware, VirusBattle also reports on the ControlFlow Graph of the malware. Additionally, VirusBattle also generates an APIFlow Graph. Since API calls are the most common way to interact with the OS, they can be used to understand malware behavior. APIFlow Graph thus may be understood as an abstraction of the ControlFlow Graph where each path describes the behavior of the program as it executed that path on the ControlFlow Graph.