Skip to content

danielplohmann/danielplohmann

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits

README.md

README.md

 
 

Repository files navigation

Hi! I'm Daniel and I do research around (malware) reverse engineering and analysis automation.

The root and motivation for most of my projects is Malpedia, a a resource for rapid identification and actionable context when investigating malware. It was launched in December 2017 by Steffen Enders and me and is maintained by us ever since.

SMDA is a minimalistic recursive disassembler, which internally uses capstone. It was created to study and improve heuristics for function entry point detection, especially in memory-mapped buffers and shellcode.

MCRIT is the MinHash-based Code Relationship & Investigation Toolkit, a binary code similarity analysis framework. It uses SMDA as its built-in disassembler, and picblocks for the hashing of basic blocks. For easy deployment, it comes as docker-mcrit, including its web UI mcritweb.

To filter out library code during analysis, we created mcrit-data, a collection of reference library code for various compilers (MSVC, MinGW, Go, Nim, ...) and commonly found 3rd party libraries. For this, the support tool lib2smda was created, which can be used to convert LIB/OBJ files into SMDA reports, which can then be imported into MCRIT. Empty MSVC was a pre-cursor to this, which is a collection of "empty main()" Visual Studio projects, compiled with various options - which can also serve well as ground truth for commonly found compiler/library code.

During my research on dynamic Windows API imports in malware, I wrote ApiScout. It's a method/tool to reliably recover such dynamic imports and make them usable in other tools. We also showed that the entirety of Windows API imports used by a malware family can be used effectively for its identification.

In 2012, I created IDAscope, an IDA Pro plugin that provides various convenience functionality during reversing. It was one of the first plugins which extensive rich use of PySide/PyQt in IDA and served as a template for many others.

Over the years, I occassionally wrote some blog posts, which cover many of the above projects or aspects of them in detail.

If you want to support my work, I would be happy if you'd buy me a coffee.

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published