All of us know what static binary analysis means. It means that the analysis of the binary is performed without actually executing it. Almost two years ago, an open source framework – Pharos, was created by the Carnegie Mellon SEI, CERT Division in collaboration with the Lawrence Livermore National Laboratory was released. This post is about the framework which supports reverse engineering of binaries with a focus on malicious code analysis.
What is Pharos?
Pharos is a open source, static binary analysis framework that uses the ROSE compiler, developed by Lawrence Livermore National Laboratory for disassembly, control flow analysis, instruction semantics. These features help you automate common reverse engineering tasks with a focus on malicious code analysis. The Pharos framework is made up of the following static binary analysis tools.
- APIAnalyzer: The APIAnalyzer is a signature driven tool for finding sequences of API calls with the specified data and control relationships. This capability is intended to be used to detect common operating system interaction parameters such as opening a file, writing to it, and the closing it.
- OOAnalyzer: OOAnalyzer is a tool for the analysis and recovery of object oriented constructs. It helps you identify object members and methods by tracking object pointers between functions in the program. This tool was previously named “Objdigger” and is being redesigned to use XSB Prolog rules to recover the object attributes. Earlier, ObjDigger used definition-use analysis to identify object pointers, known as this pointers. It accumulates context-free facts that are exported to Prolog for higher-level semantic analysis. When a line of reasoning doesn’t work out, Prolog backtracks and searches for a different solution.
- CallAnalyzer: Callanalyzer is a tool for reporting the static parameters to API calls in a binary program. It is largely a demonstration of our current calling convention, parameter analysis, and type detection capabilities, although it also provides useful analysis of the code in a program.
- FN2Yara: FN2Yara is a tool to generate YARA signatures for matching functions in an executable program. Programs that share significant numbers of functions are are likely to have behavior in common.
- FN2Hash: FN2Hash is tool for generating a variety of hashes and other descriptive properties for functions in an executable program. Like FN2Yara it can be used to support binary similarity analysis, or provide features for machine learning algorithm.
- DumpMASM: DumpMASM is a tool for dumping dis-assembly listings from an executable using the Pharos framework in the same style as the other tools. It has not been actively maintained, and you should consider using ROSE’s standard recursiveDisassemble instead.
- PyObjDigger: PyObjDigger is included as a plugin for the IDA Pro Dis-assembler (located at tools/objdigger/ida) to allow you to ingest, view, and modify ObjDigger results directly into IDA Pro. One of the most useful PyObjdigger features is its ability to annotate virtual function calls with clickable labels.
Download Pharos Framework:
The Pharos framework needs a *Nix system and can also use a Docker script to be installed in a container. Pharos framework needs ROSE, XSB, Boost, yaml-cpp, SQLLite and YICES. Installation instructions can be found here. You can check out the current Pharos GIT repository here.
My initial post about this advanced XSS detection and exploitation suite was almost an year ago! Three days ago, an update – XSStrike 3.1.2 was released. This is a post that documents these changes. What is XSStrike? XSStrike is a Cross Site Scripting detection suite equipped with four hand written parsers, an intelligent payload generator,