Malware analysis tools

pharos v2019.08 releases: Automated static analysis tools for binary programs

Pharos Static Binary Analysis Framework

The Pharos static binary analysis framework is a project of the Software Engineering Institute at Carnegie Mellon University. The framework is designed to facilitate the automated analysis of binary programs. It uses the ROSE compiler infrastructure developed by Lawrence Livermore National Laboratory for disassembly, control flow analysis, instruction semantics, and more.

The Pharos framework is a research project, and the code is undergoing active development. No warranties of fitness for any purpose are provided. While this release provides build instructions, unit tests, and some documentation, much work remains to be done. We’ve tested a few select build configurations, but have not actively tested the portability of the source code. See the installation instructions for more details.

Pharos Static Binary Analysis Tools

APIAnalyzer

ApAnalyzer is a tool for finding sequences of API calls with the specified data and control relationships. This capability is intended to be used to detect common operating system interaction paradigms like opening a file, writing to it, and the closing it.

OOAnalyzer

OOAnalyzer is a tool for the analysis and recovery of object-oriented constructs. This tool was the subject of a paper titled “Recovering C++ Objects From Binaries Using Inter-Procedural Data-Flow Analysis” which was published at the ACM SIGPLAN on Program Protection and Reverse Engineering Workshop in 2014. The tool identifies object members and methods by tracking object pointers between functions in the program. This tool was previously named “Objdigger” and is the process of being renamed OOAnalyzer as part of a substantial redesign using Prolog rules to recover the object attributes.

CallAnalyzer

Callanalyzer is a tool for reporting the static parameters to API calls in a binary program. It is largely a demonstration of our current calling convention, parameter analysis, and type detection capabilities, although it also provides the useful analysis of the code in a program.

FN2Yara

FN2Yara is a tool to generate YARA signatures for matching functions in an executable program. Programs that share significant numbers of functions are likely to have behaviour in common.

FN2Hash

FN2Hash is a tool for generating a variety of hashes and other descriptive properties for functions in an executable program. Like FN2Yara it can be used to support binary similarity analysis, or provide features for machine learning algorithm.

DumpMASM

DumpMASM is a tool for dumping diassembly listings from an executable using the Pharos framework in the same style as the other tools. It has not been actively maintained, and you should consider using ROSE’s standard recursiveDisassemble instead.

Changelog v2019.08

The current distribution is a substantial update to the previous version and adds a variety of features including improvements to the OOAnalyzer tool, experimental path analysis code, partitioner improvements, multi-threading, and many other smaller features.

Download

Copyright 2017 Carnegie Mellon University. All Rights Reserved.

Anastasis Vasileiadis

PC Technical || Penetration Tester || Ethical Hacker || Cyber Security Expert || Cyber Security Analyst || Information Security Researcher || Malware analyst || Malware Investigator || Reverse Engineering