make -C src asm2graphsmake -C tests check{
"routines": [
{
"tag":"start__",
"label":"start##",
"type":"user",
"callees":[
{ "tag":"___A" }
],
"blocks":[
{
"tag":"loc_0",
"label":"loc@0",
"out_true":"loc_0",
"out_false":"",
"last_inst":"jmp",
"instructions":[
{ "str":"call @$%A" },
{ "str":"jmp loc@0" }
],
"callees":[
{ "tag":"___A" }
]
}
]
}
]
}The generated call graphs contain a list of routines:
{
"routines": []
}Each routines has a tag, a label, a list of callees, and a type:
{
"tag":"rtn_0",
"label":"rtn_0",
"callees":[
{ "tag":"sub_0" }
],
"type":"ours"
}Tags are the label where all special characters have beeen replaced by _ The type field is one of:
- idapro: generated by IDA-Pro (label starts with "sub_")
- ours: generated by our analysis (label starts with "rtn_")
- user: user defined routine
- library: routine not present in the code (DLLs)
- indirect: indirect call (ie: "call [ebp+var]")
Every routine which type is idapro, ours, or user, a CFG is generated. These are made of a list of blocks.
{
"blocks":[]
}Each block has a tag and a label. In addition they have true/false out edges (out_true and out_false) and the last instruction in the block (last_inst) if significant. Finally they have a list of instructions and a list of callees.
{
"tag":"label_2",
"label":"label_2",
"out_true":"loc_1",
"out_false":"",
"last_inst":"jmp",
"instructions":[
{ "str":"call sub_1" },
{ "str":"jmp loc_1" }
],
"callees":[
{ "tag":"sub_1" }
]
}Given a file ("malwares.lst") which contains a list of malware with absolute path:
for malware in `cat malwares.lst`
do
$MS_ASM_HOME/scripts/generate.sh $malware
rm -rf ${malware%.*} # to save space
done
tar czf malwares.tar.gz *.tar.gz 
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent