diff --git a/plugin.json b/plugin.json index 5ebf6be..ac339d8 100644 --- a/plugin.json +++ b/plugin.json @@ -9,7 +9,7 @@ "python3" ], "description": "Automatically detect obfuscated code and other state machines", - "longdescription": "Scripts and binaries to automatically detect obfuscated code and state machines in binaries.\n\nImplementation is based on Binary Ninja. Check out the following blog posts for more information:\n\n* [Automated Detection of Control-flow Flattening](https://synthesis.to/2021/03/03/flattening_detection.html)\n* [Automated Detection of Obfuscated Code](https://synthesis.to/2021/08/10/obfuscation_detection.html)\n\n## Usage\n\nTo find control-flow flattening, run `detect_flattening.py`:\n\n```\n$ ./detect_flattening.py samples/finspy \nFunction 0x401602 has a flattening score of 0.9473684210526315.\nFunction 0x4017c0 has a flattening score of 0.9981378026070763.\nFunction 0x405150 has a flattening score of 0.9166666666666666.\nFunction 0x405270 has a flattening score of 0.9166666666666666.\nFunction 0x405370 has a flattening score of 0.9984544049459042.\nFunction 0x4097a0 has a flattening score of 0.9992378048780488.\nFunction 0x412c70 has a flattening score of 0.9629629629629629.\nFunction 0x412df0 has a flattening score of 0.9629629629629629.\nFunction 0x412f70 has a flattening score of 0.9927007299270073.\nFunction 0x4138e0 has a flattening score of 0.9629629629629629.\n```\n\nTo apply various heuristics to detect obfuscated code, run `detect_obfuscation.py`:\n\n```\n$ ./detect_obfuscation.py samples/finspy \n================================================================================\nControl Flow Flattening\nFunction 0x401602 (sub_401602) has a flattening score of 0.9473684210526315.\nFunction 0x4017c0 (sub_4017c0) has a flattening score of 0.9981378026070763.\nFunction 0x405150 (sub_405150) has a flattening score of 0.9166666666666666.\nFunction 0x405270 (sub_405270) has a flattening score of 0.9166666666666666.\nFunction 0x405370 (sub_405370) has a flattening score of 0.9984544049459042.\nFunction 0x4097a0 (sub_4097a0) has a flattening score of 0.9992378048780488.\nFunction 0x412c70 (sub_412c70) has a flattening score of 0.9629629629629629.\nFunction 0x412df0 (sub_412df0) has a flattening score of 0.9629629629629629.\nFunction 0x412f70 (sub_412f70) has a flattening score of 0.9927007299270073.\nFunction 0x4138e0 (sub_4138e0) has a flattening score of 0.9629629629629629.\n================================================================================\nCyclomatic Complexity\nFunction 0x4097a0 (sub_4097a0) has a cyclomatic complexity of 524.\nFunction 0x405370 (sub_405370) has a cyclomatic complexity of 258.\nFunction 0x4017c0 (sub_4017c0) has a cyclomatic complexity of 214.\nFunction 0x412f70 (sub_412f70) has a cyclomatic complexity of 54.\nFunction 0x4138e0 (sub_4138e0) has a cyclomatic complexity of 10.\nFunction 0x412df0 (sub_412df0) has a cyclomatic complexity of 10.\n================================================================================\nLarge Basic Blocks\nBasic blocks in function 0x405340 (sub_405340) contain on average 11 instructions.\nBasic blocks in function 0x401240 (_start) contain on average 11 instructions.\nBasic blocks in function 0x4013e3 (sub_4013e3) contain on average 10 instructions.\nBasic blocks in function 0x413a80 (init) contain on average 9 instructions.\nBasic blocks in function 0x401349 (sub_401349) contain on average 7 instructions.\nBasic blocks in function 0x401030 (_init) contain on average 6 instructions.\n================================================================================\nInstruction Overlapping\n```\n\n\n## Note\n\nThe password for the zipped malware samples is "infected". To unpack, use the following command line:\n\n```\n$ unzip -P infected samples.zip\n```\n\n## Contact\n\nFor more information, contact [@mr_phrazer](https://twitter.com/mr_phrazer).", + "longdescription": "", "license": { "name": "GPL-2.0", "text": "Copyright 2021 Tim Blazytko\n\nThis program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.\n\nThis program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.\n\nYou should have received a copy of the GNU General Public License along with this program; if not, see ."