Anatomy of File Analysis and Decomposition Engine
-
Upload
mario-suvajac -
Category
Technology
-
view
1.088 -
download
1
Transcript of Anatomy of File Analysis and Decomposition Engine
![Page 1: Anatomy of File Analysis and Decomposition Engine](https://reader036.fdocuments.net/reader036/viewer/2022062406/55ae2e6c1a28abb0648b456e/html5/thumbnails/1.jpg)
![Page 2: Anatomy of File Analysis and Decomposition Engine](https://reader036.fdocuments.net/reader036/viewer/2022062406/55ae2e6c1a28abb0648b456e/html5/thumbnails/2.jpg)
![Page 3: Anatomy of File Analysis and Decomposition Engine](https://reader036.fdocuments.net/reader036/viewer/2022062406/55ae2e6c1a28abb0648b456e/html5/thumbnails/3.jpg)
![Page 4: Anatomy of File Analysis and Decomposition Engine](https://reader036.fdocuments.net/reader036/viewer/2022062406/55ae2e6c1a28abb0648b456e/html5/thumbnails/4.jpg)
• Collect as much information as possible from files/binary objects
– Other contained files/objects
– Metadata, e.g. mobile app permissions, geolocation, IP addresses, domains, etc.
• Strip protection layers for additional analysis
• Do it really, really fast
• Do it at scale
![Page 5: Anatomy of File Analysis and Decomposition Engine](https://reader036.fdocuments.net/reader036/viewer/2022062406/55ae2e6c1a28abb0648b456e/html5/thumbnails/5.jpg)
• Forensics
• Anti-Virus
• Threat Intelligence
• ...
![Page 6: Anatomy of File Analysis and Decomposition Engine](https://reader036.fdocuments.net/reader036/viewer/2022062406/55ae2e6c1a28abb0648b456e/html5/thumbnails/6.jpg)
![Page 7: Anatomy of File Analysis and Decomposition Engine](https://reader036.fdocuments.net/reader036/viewer/2022062406/55ae2e6c1a28abb0648b456e/html5/thumbnails/7.jpg)
• Files can be
– Packed
– Obfuscated
– Encrypted
– Broken
• Large amounts of data to process
• Speed
![Page 8: Anatomy of File Analysis and Decomposition Engine](https://reader036.fdocuments.net/reader036/viewer/2022062406/55ae2e6c1a28abb0648b456e/html5/thumbnails/8.jpg)
![Page 9: Anatomy of File Analysis and Decomposition Engine](https://reader036.fdocuments.net/reader036/viewer/2022062406/55ae2e6c1a28abb0648b456e/html5/thumbnails/9.jpg)
• Consolidating metadata and files/objects
• Scheduling
• Reporting
• Communication
![Page 10: Anatomy of File Analysis and Decomposition Engine](https://reader036.fdocuments.net/reader036/viewer/2022062406/55ae2e6c1a28abb0648b456e/html5/thumbnails/10.jpg)
FILES
FILES
ENGINE
METADATA
![Page 11: Anatomy of File Analysis and Decomposition Engine](https://reader036.fdocuments.net/reader036/viewer/2022062406/55ae2e6c1a28abb0648b456e/html5/thumbnails/11.jpg)
• Preprocessing
– Identification
– Initial analysis
• Analysis
– Unpacking
– Validation
• Post processing
– Consolidating metadata
![Page 12: Anatomy of File Analysis and Decomposition Engine](https://reader036.fdocuments.net/reader036/viewer/2022062406/55ae2e6c1a28abb0648b456e/html5/thumbnails/12.jpg)
MODULES
IDENTIFICATION ANALYSIS
VALIDATION
UNPACKING
...
SCHEDULER
REPORT, METADATA, FILES
![Page 13: Anatomy of File Analysis and Decomposition Engine](https://reader036.fdocuments.net/reader036/viewer/2022062406/55ae2e6c1a28abb0648b456e/html5/thumbnails/13.jpg)
• Speed
• Security
• We can emulate
![Page 14: Anatomy of File Analysis and Decomposition Engine](https://reader036.fdocuments.net/reader036/viewer/2022062406/55ae2e6c1a28abb0648b456e/html5/thumbnails/14.jpg)
![Page 15: Anatomy of File Analysis and Decomposition Engine](https://reader036.fdocuments.net/reader036/viewer/2022062406/55ae2e6c1a28abb0648b456e/html5/thumbnails/15.jpg)
• Various identification engines
– Signature based
– Heuristics
– ...
• Problems
![Page 16: Anatomy of File Analysis and Decomposition Engine](https://reader036.fdocuments.net/reader036/viewer/2022062406/55ae2e6c1a28abb0648b456e/html5/thumbnails/16.jpg)
• Signatures
• Various complexity
– Simple (e.g. PEiD) • Simple byte and wildcard matching, hash matching
• 12 ?? 56 ?8 9?
– Medium (e.g. TitanMist) • Small Regex like subset
– High (e.g. TLang) • Almost full fledged programming language
• Other
![Page 17: Anatomy of File Analysis and Decomposition Engine](https://reader036.fdocuments.net/reader036/viewer/2022062406/55ae2e6c1a28abb0648b456e/html5/thumbnails/17.jpg)
![Page 18: Anatomy of File Analysis and Decomposition Engine](https://reader036.fdocuments.net/reader036/viewer/2022062406/55ae2e6c1a28abb0648b456e/html5/thumbnails/18.jpg)
• Some parts depend on identification
• Dedicated analysis modules
• Internal/external modules
![Page 19: Anatomy of File Analysis and Decomposition Engine](https://reader036.fdocuments.net/reader036/viewer/2022062406/55ae2e6c1a28abb0648b456e/html5/thumbnails/19.jpg)
• Unpacking
• Validation
• Collecting metadata
• Repairing broken files
![Page 20: Anatomy of File Analysis and Decomposition Engine](https://reader036.fdocuments.net/reader036/viewer/2022062406/55ae2e6c1a28abb0648b456e/html5/thumbnails/20.jpg)