Finding Cryptography in Object Code

Expo Theatre (Hall G) October 21, 2008 - Feedback     

Bookmark and Share

Jason Wright

Finding and identifying cryptography is a growing concern in the malware analysis community. The current state of the art is to locate it manually and identify it based on various constants used by the algorithms. By examining the operations used by cryptographic functions, it is possible to locate it based on heuristics.

The types and arguments of processor instructions show a tendency to be unique in cryptographic functions vs. regular functions. I assign weights based upon some empirically determined properties to determine the probability that a function contains cryptography. This type of heuristic method is not prone to subtle peturbations of magic constants currently used for location and identification.