Miasm

@Farenain Great! You will have a second implementation to look at soon in miasm-rs 😉

I've implemented the reaching definition analysis from @MiasmRe in KUNAI's code, it was a little bit difficult to understand the algorithm, but I did it using MjolnIR, thanks miasm for such a nice code ☺️

While there are several frameworks for #reverseengineering that provide features we needed to see through Wslink’s virtual-machine-based obfuscator, we used @MiasmRe in this project simply because it’s actively maintained and we’re already familiar and satisfied with it. 4/5

@_trou_ It's more and more difficult to "manually" address problems generated by tools : 25 years ago, obfuscation, optimizations or even program size had "human size". Now, most of them are tool generated (even source code). So we also have to use tools to be able to solve them.

Little update: based on the great @NCCGroupInfosec blog post (research.nccgroup.com/2021/10/12/a-l…), we added color support for IR and ASM graph output: Thank you guys !

@MiasmRe you have a fan :) research.nccgroup.com/2021/10/12/a-l…

@newsoft Great Post!

I finally decided to publish my complete toolset written for Tinynuke analysis You'll find config and injects grabber, dll extractors, Ghidra deobfuscation scripts and @cea_sec miasm based scripts github.com/Heat-Miser/tin… #Tinynuke #ReverseEngineering #Malware

@crackin76726107 Hum, as Miasm is a framework, I would answer "as the user has decided to implement it" :) To be honest, the picture gives nearly no clue. Is it code flattening?

@MiasmRe How does miasm solve this kind of confusion?

@BincatLady @moyix Yes, the core algorithms are re-coded in Rust to improve speed (Jitter / Lifter / code analysis / ... ) and to clean APIs a bit :) But bindings allow python scripting currently!

@moyix The rewriting of the Miasm framework (currently in Python) is on going. @MiasmRe could you confirm?

Curious if anyone is working on binary analysis tools in Rust? Most prior work I've seen is OCaml (BAP), F# (B2R2), or Python (angr), but Rust feels like it might be in a sweet spot: functional enough to make program analysis natural, but high-performance and multicore-friendly.

@crackin76726107 Yes, you have a nice one there: twitter.com/mr_phrazer/sta…

@MiasmRe Are there any examples of de-obfuscation？

@crackin10554874 Hi @crackin10554874, can you be a bit more precise for example on the Miasm gitter ? gitter.im/cea-sec/miasm

@MiasmRe module 'miasm.analysis.depgraph' has no attribute 'FilterExprSources' What should I do?

Giving the workshop on code deobfuscation was great fun. Thanks for your active participation! #HITB2021AMS Check out code, slides and samples here: github.com/mrphrazer/hitb…

Congratulation, you both succeeded in: - resolving the challenge - writing a great tutorial on how to add a custom architecture in Miasm & exploit the IR!

If you want to learn more about control-flow graph construction, analysis and loop detection, check out my slide deck. I also wrote a blog post on how these concepts can be easily explored with @MiasmRe. synthesis.to/2021/03/15/con…

A good example of automatic code deobfuscation based on pattern matching is stadeo by @ESET. They use @MiasmRe to automatically remove control flow flattening for the stantinko malware family. github.com/eset/stadeo

@mr_phrazer @r2gui Great workshop Tim! Hopefully, IR translation/symbolic execution/z3 translation will be nearly instantaneous in the @rust version of miasm ;)

Friday, 19:00 GMT+2 at #r2con2020: In a live coding, I will use @r2gui and @MiasmRe to automatically identify and remove opaque predicates in an APT malware sample. Check it out: rada.re/con/2020/youtu…

Emulating the NotPetya bootloader with @MiasmRe, an article by @la_F0uin3 and myself, translated from an article originally published in @MISCRedac : aguinet.github.io/blog/2020/08/2… Code available here: github.com/aguinet/miasm-…

@0xrepnz @_sudhackar For a real case symbolic execution example, here is (an old) one: miasm.re/blog/2016/09/0…

@_sudhackar @MiasmRe Symbolic execution is very interesting, I read "practical binary analysis" and Triton is interesting as well. The question is: Is it useful outside of CTFs and labs.. I'm not an expert on this topic but I only see it in labs and CTFs 😕

Finally got some time to try @MiasmRe to solve a crackme. I wrote a blog on how to use its Dynamic Symbolic Execution engine to automatically find and solve constraints since there are not many blogs on it sudhackar.github.io/blog/learning-…

@rh0main Thanks a lot to @w4kfu => the solution was in the redirection by *hash* of Apiset!

@rh0main If I don't mess up, api-ms-win-core-processthreads-l1-1-2 is not present in the ApiSet, and it's present on the disk (in the downlevel sub dir). So I definitively miss something here.

I am missing something here; On windows 10 15063: - In kernel32, IsProcessCritical is an export redirected to api-ms-win-core-processthreads-l1-1-2.IsProcessCritical - no ApiSet for this dll - in this dll, IsProcessCritical is... a redirected export to kernel32.IsProcessCritical