About
- published at Studia Universitatis BabeČ™-Bolyai Informatica 2022
Abstract
"
A powerful feature used in automated malware analysis is the static call graph of the executable file.
Elimination of sandbox environment, fast scan, function call patterns beyond instruction level information --
all of these motivate the prevalence of the feature. Processing and storing the static call graph of
malicious samples in a scaled manner facilitates the application of complex network analysis in malware research.
IDA Pro is one of the leading disassembler tools in the industry [1], [2] which offers the generation
of the call graph via `GenCallGdl` and `GenFuncGdl` APIs -- a tool which we used in our
previous works [3], [4].
In this paper we offer an alternative analysis using another disassembler tool, Radare2,
an open-source Unix-based software, which is also frequently used in this
domain
[5],
[6],
[7],
[8],
[9].
Radare2 has Python support (among other languages), via the `r2pipe` package, thus enabling
full scalability on Linux-based servers using containerized solutions.
This paper offers a detailed technical description on how to use Radare2 to generate
the static call graph of a PE file and a thorough comparison with
the output of IDA Pro, as well as a public dataset on which the experiments were carried out.
"
Keywords
static call graph,
IDA Pro 6,
Radare2,
Levensthein,
Jaro,
Jaccard
Dataset
- selection from Kaggle
- selected dataset