Visual Reverse Engineering of Binary and Data Files

Gregory Conti Erik Dean

Matthew Sinda Benjamin Sangster

United States Military Academy

West Point, New York

doc xls txt…

operated on by applications

executed by OS

core dump pagefile.sys hiberfil.sys…

ELF PE... 01010

10101 01010

memory

network

other special cases

process memory cache…

packets…

Framework

•  File Independent Level – Entropy – Byte Frequency – N-Gram Analysis – Strings – Hex / Decimal / ASCII – Bit Plot (2D/3D) – File Statistics

•  File Specific Level – Complete or Partial Knowledge of File

Structure – For Example, Metadata

Framework

Hex Editor Core

Textual Hex/ASCII Detail View

Traditional Textual Utilities

(strings...)

Graphical Displays

Machine Assisted Mapping and Navigation

Hex Editor Core

(strings...)

Graphical Displays

Hex Editor Core

(strings...)

Graphical Displays

Hex Editor Core

(strings...)

Graphical Displays

Towards a Visual Hex Editor •  Malware Analysis •  Locate Embedded Objects

–  Encoding / Encryption •  Audit Files for Vulnerabilities •  Compare files (Diffing) •  Cracking •  Analyze Unknown/Undocumented File

Format •  Cryptanalysis •  Perform Forensic Analysis •  File System Analysis •  Reporting •  File Fuzzing

•  Textual: Text/ASCII, Strings, ByteCloud

•  Graphical: Bitplot, BytePlot, RGBPlot, BytePresence, ByteFrequency, Digram, Dotplot

•  Interaction: VCR, Memory Map, Color Coding

System Overview

Digraph View

black hat bl (98,108) la (108,97) ac (97,99) ck (99,107) k_ (107,32) _h (32,104) ha (104,97) at (97,116)

Digraph View

0,1, ... 255

Byte 0 Byte 1

Byte 255

98,108

32,108

uuencoded

constrained pairs slashdot.org .txt

compression encryption

incrementing words

Byte Plot

255 108 0 40 ...

RGB Plot

255 108 0 40 128 255 0 0 0 200 0 0

Byte Presence

Display Comparison

Pixels/Byte 19” Monitor Gain

Textual Hex

300 pixels/byte

4.4 KB

Byte View

1 pixel/byte

1.3 MB

RGB View

3 bytes/pixel

3.9 MB

Encryption

unencrypted

Fixed Length Structure

Neverwinter Nights Database File

Variable Length Structure

Thumbs.db

See http://www.acquisitiondata.com/white_papers/thumbsdbfiles.pdf for a well written white paper.

Demo (Firefox hdmp)

Firefox .hdmp

Redacted PDF...

http://entertainment.slashdot.org/article.pl?sid=08/05/20/0228229

Weaknesses

• entire file may be extracted from bit/byte/RGB – May trigger AV or IDS – 8bit/byte steg

• Screams for big monitor • Better memory management

–  ~300MB+ • Unicode

Future Work

•  Plug-ins / Editable Config Files – Visualizations – Encodings

•  Saving state – Memory Maps

•  Improving Interaction – What works / What doesn’t

•  Multiple Files / File Systems •  REGEX search •  Automated Memory Map Generation

Acknowledgements

Damon Becknell, Jon Bentley, Jean Blair, Sergey Bratus, Chris Compton, Tom Cross, Ron Dodge, Carrie Gates, Chris Gates, Joe Grand, Julian Grizzard, Toby Kohlenberg, Oleg Kolesnikov, Frank Mabry, Raffy Marty, Brent Nolan, Gene Ressler, Ben Sangster, Dino Schweitzer, Matt Sinda, and Ed Sobiesk

? Gregory Conti gregory.conti@usma.edu|

Erik Dean erik.dean@usma.edu

Visual Reverse Engineering of Binary and Data Files · slashdot.org .txt constrained pairs...

Documents

ATA Extensions Document - T13 · Web viewIn memory byte 0 of a Word is stored in the lower byte address and byte 1 is stored in the higher byte address. On Paper: Byte 1 Byte 0 15

Encoder assoluto multi-giro con protocollo CANopen, di ... · COB ID DLC Byte 1 Byte 2 Byte 3 Byte 4 Byte 5 Byte 6 Byte 7 Byte 8 580H+Node 08H 80H Object L Object H Subindex Err.0

Byte division

Byte Exchange Handbook

DZ770 DW740 DX810 コマンド€¦ · 1 byte 4 bytes 1 byte 3 bytes 1 byte Undefined length 1 byte 基本制御コマンド（サブコマンドあり） Start (STX) ID Separator

bit, Byte, Kilobyte

Golden Byte 2011

Travesty in Byte

Byte Blaster MV

Programming Manual (supplement) CAN module RTC CR30200x380 + node ID DLC = 6 Byte 0 = remaining time in days Byte 1 = remaining time in hours Byte 2 = Remaining time in minutes Byte

Byte Code 11

MAXIM INTEGRATED CONFIDENTIAL the delay is complete, the master transmits a du mmy byte and receives the length byte and result byte from DS28E38. Depending on the length byte received,

10 logo1 byte

RIVER - Home - the mill...PLANT ROOM ELEC METERS PLOT PLOT 333 PLOT 332 PLOT 331 PLOT 330 PLOT 334 ELEC METERS PLOT 335 PLOT 336 340 339 PLOT 338 PLOT 337 PLOT …

Byte 1981 08

Byte of Python

Savitch - Chapters 9&11 CS 150173 Pointers A pointer holds the memory address of a variable. Main Memory Byte #00000000 Byte #00000001 Byte #00000010 Byte

plot 1 - JPP Land PLAN 8.6.16.pdf · plot 1 plot 2 plot 3 plot 4 plot 5 plot 6 plot 7 plot 8 plot 9 plot 10 plot 11 plot 12 ... 5wkvg /ctmgv *qwug Ä /ctmgv 2nceg 9qmkpijco $gtmu

Networked Applications: Sockets - האקדמיתhbinsky/intro comp comm/Sockets.pdf · Four-byte long int: (byte 3, byte 2, byte 1, byte 0) vs. (byte 0, byte 1, byte 2, byte 3) String

Cougar Byte Layout