Static Analysis

Static Analysis

2 .What do we want to know about a binary?

 

 

 

 

3. What else can we learn about a binary before talking about code?

 

1. Why Static analysis?

 

  We want to learn as much as we can about the binary without having to run it.

This way we can save ourselves from running a malicious program,  or even save time just from getting hints for other analysis!

    That depends on what we are doing! But generally starting with Readelf/Strings is helpful

Static tools demo

  • readelf 

 

  • strings

 

  • objdump

 

  • xxd

What is a basic block?

Basic block is a set of instructions where the only entry is the top of the block and the only exit is the end of the block. 

 

 

In Binaryninja, red is false path,

green is true path,

blue is neither (sometimes greeen).

What is a basic block?

Address    Opcode    Instruction  Operand(s)

May need change options for seeing address and opcodes in your disassembler!

Basic blocks are part of Intraprocedural scope, which means within a single function

Call Graphs

IDA can show you call graphs visually. Can be useful and depending on the type analysis is needed (interprocedural).

Binary Ninja

We can use binja to disassemble and it is the best looking one!

 

Has many plugins, built on python, the Sublime of disassembly

 

 

Binary Ninja

IDA

IDA is the oldest, works well on windows binaries, detects structures, colors are customizable (if you're into that)

 

Little harder to use, but you get more analysis tools in the background. Basically operates the same way you would Binja

 

Emacs of disassembly

IDA

Radare2

Originally written as a hexeditor, grew into a massive disassembler

/debugger/forensics tool all at the same time. 

 

Really hard to use, super powerful, can do pretty much anything. CLI, no good GUI

 

Vim of disassembly plus a toaster&blender&knife set.

Radare2

Ghidra

Open source Disassembler recently released by the NSA. 

 

Decompilation feature that would cost a lot of money otherwise

 

 

Ghidra

Function Detection

How might we detect functions in a binary? Assuming the binary is stripped

Function Detection

Recursively, we can try to detect all the functions by disassembling at a call instruction address 

Can this be defeated?

Function Detection

Linearly, we can look for function initialization code, such as the snipped below. 

Can this be defeated?

foo:
    push ebp
    mov ebp, esp
    
    ...
    do stuff
    ...

    pop ebp
    ret

Initialize the stack frame (start of function)

remove stack frame (end of function)

Control Flow Analysis

What are the possible control flow structures?

   + For, While, Do While loops

   + If, If-else statements

   + Switch statements

 

In Assembly, do these look different?

   

   + in assembly they do not

      look very different at all

 

 

 

Control Flow Analysis

If all loops look the same, why should we care  if they are different?

   Well we don't care actually.

 

How might we detect a loop then?

 

  Perform DFS

  1: top

  2: top, next

  3: top,

  4: top, top  *loop found*

 

Data-Flow Analysis

Data-flow analysis is a technique for gathering information about the possible set of values calculated at various points in a computer program

-wikipedia

 + Forward/Backward Analysis

 + Flow/Path/Context Sensitive 

 + May/Must join points

There is a lot to talk about here, but too much for our class! For more check these 430 slides out!

Data-Flow Analysis

after slicing

Program slicing is a great example of an analysis that would be useful to a Reverse Engineer!

 

This shows us on what affects sum prior to the chosen line (write(sum)). 

(Backward analysis)

 

Notice lines with 'w' are still included since w affects the definition of sum in the for loop.

 

Program slicing is not exclusively backward like other data-flow analyses

Static Analysis Frameworks

Angr - python library for analysis and powerful for symbolic execution (later topic)

 

CIL - written in OCaml, for C, can do all the analysis mentions before on C source code.

 

LLVM - frame work for compiling and optimizing the LLVM IR, easily extended

Static Analysis

By Drake P

Static Analysis

  • 175