Obfuscation Detection: Detect obfuscated code and interesting code constructs

Obfuscation Detection

Obfuscation Detection is a Binary Ninja plugin to detect obfuscated code and interesting code constructs (e.g., state machines) in binaries. Given a binary, the plugin eases analysis by identifying code locations which might be worth a closer look during reverse engineering.

Based on various heuristics, the plugin pinpoints functions that contain complex or uncommon code constructs. Such code constructs may implement

• obfuscated code
• state machines and protocols
• C&C server communication
• string decryption routines
• cryptographic algorithms

The following blog posts provide more information about the underlying heuristics and demonstrate their use cases:

• Automated Detection of Control-flow Flattening
• Automated Detection of Obfuscated Code
• Statistical Analysis to Detect Uncommon Code
• Identification of API Functions in Binaries

Some example use cases can be found in examples. Furthermore, the REcon talk “Unveiling Secrets in Binaries using Code Detection Strategies” demonstrates some use cases. The slides can be found here; the recording can be found here.

Feature

• identifies interesting code constructs in large binaries
• highlights disaligned instructions in Binary Ninja’s graph view
• efficient and architecture-agnostic implementation
• runs as a background task
• can be used in UI and headless mode

Download & Use

Copyright (C) 2021 Tim Blazytko