Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
@danielplohmann
danielplohmann
Follow
View danielplohmann's full-sized avatar

Daniel Plohmann danielplohmann

Malware Researcher. Working for Fraunhofer@fkie.

Organizations

@fkie-cad

Block or report danielplohmann

Block user

Prevent this user from interacting with your repositories and sending you notifications. Learn more aboutblocking users.

You must be logged in to block users.

Please don't include any personal information such as legal names or email addresses. Maximum 100 characters, markdown supported. This note will be visible to only you.
Report abuse

Contact GitHub support about this user’s behavior. Learn more aboutreporting abuse.

Report abuse
danielplohmann/README.md

Hi! I'm Daniel and I doresearch around (malware) reverse engineering and analysis automation.

The root and motivation for most of my projects isMalpedia, a a resource for rapid identification and actionable context when investigating malware.It was launched in December 2017 bySteffen Enders and me and is maintained by us ever since.

SMDA is a minimalistic recursive disassembler, which internally usescapstone.It was created to study and improve heuristics for function entry point detection, especially in memory-mapped buffers and shellcode.

MCRIT is the MinHash-based Code Relationship & Investigation Toolkit, a binary code similarity analysis framework.It usesSMDA as its built-in disassembler, andpicblocks for the hashing of basic blocks.For easy deployment, it comes asdocker-mcrit, including its web UImcritweb.

To filter out library code during analysis, we createdmcrit-data, a collection of reference library code for various compilers (MSVC, MinGW, Go, Nim, ...) and commonly found 3rd party libraries.For this, the support toollib2smda was created, which can be used to convert LIB/OBJ files into SMDA reports, which can then be imported into MCRIT.Empty MSVC was a pre-cursor to this, which is a collection of "empty main()" Visual Studio projects, compiled with various options - which can also serve well as ground truth for commonly found compiler/library code.

During myresearch on dynamic Windows API imports in malware, I wroteApiScout.It's a method/tool to reliably recover such dynamic imports and make them usable in other tools.We also showed that the entirety of Windows API imports used by a malware family can be used effectively for its identification.

In 2012, I createdIDAscope, an IDA Pro plugin that provides various convenience functionality during reversing.It was one of the first plugins which extensive rich use of PySide/PyQt in IDA and served as a template for many others.

Over the years, I occassionally wrote someblog posts, which cover many of the above projects or aspects of them in detail.

If you want to support my work, I would be happy if you'dbuy me a coffee.

PinnedLoading

  1. apiscoutapiscoutPublic

    This project aims at simplifying Windows API import recovery on arbitrary memory dumps

    Python 247 43

  2. smdasmdaPublic

    SMDA is a minimalist recursive disassembler library that is optimized for accurate Control Flow Graph (CFG) recovery from memory dumps.

    Python 231 38

  3. idascopeidascopePublic

    An IDA Pro extension for easier (malware) reverse engineering

    Python 111 18

  4. mcritmcritPublic

    The MinHash-based Code Relationship & Investigation Toolkit (MCRIT) is a framework created to simplify the application of the MinHash algorithm in the context of code similarity.

    Python 90 12

  5. docker-mcritdocker-mcritPublic

    Dockerized Setup for the MinHash-based Code Recognition & Investigation Toolkit (MCRIT)

    Python 15 3

[8]ページ先頭
©2009-2025 Movatter.jp