MIST for static

Question

MIST for static

wangjingan opened this issue 11 years ago · comments

Haryanto commented 11 years ago

Hi there, is there any possible way to create MIST for static representation?

Cyber Anime · Answer 1 · Mon Mar 03 2014 15:25:19 GMT+0800 (China Standard Time)

Do you mean by statically decompiling the binary and tracing the API calls ?

Sent from my iPhone

On 3 Mar 2014, at 06:05, Haryanto notifications@github.com wrote:

Hi there, is there any possible way to create MIST for static representation?

—
Reply to this email directly or view it on GitHub.

Haryanto · Answer 2 · Mon Mar 03 2014 16:58:08 GMT+0800 (China Standard Time)

exactly, perhaps take mist source code out and do customization of its insides.

Cyber Anime · Answer 3 · Mon Mar 03 2014 17:29:38 GMT+0800 (China Standard Time)

You could but there are two issues:

you will probably only manage to get to level 1 instructions
(backtracking register values passed to function calls is going to be a
nightmare)
you will get "decompiled noise" from packed/encrypted binaries unless
you have a magical universal static unpacker (except for the simple ones
like UPX etc.)
you will have no information to know the running processes (oky you can
discard them)

If you want to use a python-based decompiler I suggest to use Capstone.
Let me know .

Cheers.

On 3 March 2014 08:58, Haryanto notifications@github.com wrote:

exactly, perhaps take mist source code out and do customization of its
insides.

Reply to this email directly or view it on GitHubhttps://github.com//issues/4#issuecomment-36491499
.

Dr. Paolo Di Prodi

Konrad Rieck · Answer 4 · Mon Mar 03 2014 18:40:37 GMT+0800 (China Standard Time)

Static analysis of malware is an involved topic. An interesting read with respect to clustering is the following paper: http://dl.acm.org/citation.cfm?doid=2523649.2523677

However, Malheur and MIST are not designed to support static analysis, so I am closing this issue.