Obfuscation_Detection - Collection Of Scripts To Pinpoint Obfuscated Code


Automatically detect control-flow flattening and other state machines

Author: Tim Blazytko

Description:

Scripts and binaries to automatically detect control-flow flattening and other state machines in binaries.

Implementation is based on Binary Ninja. Check out the following blog post for more information:

Automated Detection of Control-flow Flattening


Usage
$ ./detect_flattening.py samples/finspy 
Function 0x401602 has a flattening score of 0.9473684210526315.
Function 0x4017c0 has a flattening score of 0.9981378026070763.
Function 0x405150 has a flattening score of 0.9166666666666666.
Function 0x405270 has a flattening score of 0.9166666666666666.
Function 0x405370 has a flattening score of 0.9984544049459042.
Function 0x4097a0 has a flattening score of 0.9992378048780488.
Function 0x412c70 has a flattening score of 0.9629629629629629.
Function 0x412df0 has a flattening score of 0.9629629629629629.
Function 0x412f70 has a flattening score of 0.9927007299270073.
Function 0x4138e0 has a flattening score of 0.9629629629629629.

Note

The password for the zipped malware samples is "infected". To unpack, use the following command line:

$ unzip -P infected samples.zip

Contact

For more information, contact @mr_phrazer.



Obfuscation_Detection - Collection Of Scripts To Pinpoint Obfuscated Code Obfuscation_Detection - Collection Of Scripts To Pinpoint Obfuscated Code Reviewed by Zion3R on 8:30 AM Rating: 5