workflow: binary -> retdec lift into llvm-ir -> minhash -> db

Stores functions in binaries as minhash sets for quick lookup for similar functions. Example usecases:

• detect libc functions with stripped names (demangling)
• detect similar functions in other binaries (e.g. malware analysis/clustering)
• match functions in a binary with open source functions (source code recovery / decompiling)

(can comment out ssdeep and pysimhash if not running experiments, the main db is in minhash)

pip3 install -r requirements.txt

need to install retdec from https://github.com/avast/retdec and place retdec-decompiler on PATH

./bcd.py -i /bin/whoami

(if no picklefile specified, a new db is saved in the db_dict.pkl)

./bcd.py /bin/echo

• index binaries that have symbols (not stripped) for symbol demangling

  • to see binaries with symbols, use nm <path to binary> on linux/mac (use WSL if you are on windows)

• index known functions, like crypto routines, to detect similar crypto routines (e.g. in ransomware)

The Work-In-Progress flask app works ONLY IN SINGLE THREADED MODE (because of global variables)

If you are running it behind a reverse proxy (like nginx), do NOT use multiple workers. Just use one python and process and proxy pass the port (e.g. 5000)

Make sure you have flask installed (already in requirements.txt).

to run:

./server.py