Malware Code Coverage Project

Malware Code Coverage Project

Abstract

When you run a sample, you're running about 30-40% of its code on average. This comes often attributed to the fact that there are many alternative basic blocks in each function, all error conditions, exceptions, etc. But from this number it is not really clear if the execution is being lost large monolithic chunks of code. We implemented a more fine-grained measure of coverage, after instrumenting to capture the executed basic-blocks, we compared against all code in memory intelligently.

Requirements

pip install -r requirements.txt

Settings

Set environment variable GHIDRA_INSTALL_DIR as directory where Ghidra is installed
Compile nucleus using make
For each minidump, also a trace and the binary must be provided, all with same name
The three files should be named as <sample_name>.dmp, <sample_name>.bbl and <sample_name>

Run command

python coverage.py <minidump_file>

Name		Name	Last commit message	Last commit date
Latest commit History 109 Commits
classes		classes
nucleus @ 91c6b9f		nucleus @ 91c6b9f
.gitignore		.gitignore
.gitmodules		.gitmodules
LICENSE		LICENSE
README.md		README.md
coverage.py		coverage.py
ghidra_initscript.py		ghidra_initscript.py
ghidra_postscript.py		ghidra_postscript.py
requirements.txt		requirements.txt

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

Malware Code Coverage Project

Abstract

Requirements

Settings

Run command

About

Releases

Packages

Languages

License

f4ncyz4nz4/malware_code_coverage

Folders and files

Latest commit

History

Repository files navigation

Malware Code Coverage Project

Abstract

Requirements

Settings

Run command

About

Resources

License

Stars

Watchers

Forks

Releases

Packages 0

Languages

Packages