https://github.com/angr/angr Uses a Concolic execution engine where it can switch from running a binary concretely, break, and then define an unknown input and find what should I be to trigger a different breakpoint. - e.g. what should the “password” pointer be pointing to in order to trigger the “you’re in” branch of code.
Note: it still can’t reverse hashes. If you try to reverse md5 using this approach it’ll consume petabytes of RAM.
I think radare2 was looking into integrating with angr but I don’t know the status of the integration.
I’m an incident responder/malware analyst. Mostly do static analysis and reverse engineering. What would you say the benefit of your research and this binary analysis is compared to other offerings? What do you do about highly obfuscated or ‘benign’ looking binaries that aren’t?
I’m not too sure about the chain of command during incident response. Theoretically this research is going to make finding vulnerabilities and finding attack vectors easier. Once you have the malicious binary (and we solved some problems) you can say “what input caused this malicious binary to call ptrace” and the automation will say “if socket X read ‘write \0\0\0 to stdin of pid 3738’ then the binary eventually will call ptrace”. The analysis is dynamic and works on stripped binaries so generally obfuscation isn’t a concern. Currently the biggest challenge is variable-sized loops where the size is symbolic (as in the path to ptrace depends on the iteration count). The automation needs domain specific knowledge about reasoning over variable sized loops. (Eg the automation needs to be taught how to invert strlen())