Skip to content
View danielplohmann's full-sized avatar

Organizations

@fkie-cad

Block or report danielplohmann

Block user

Prevent this user from interacting with your repositories and sending you notifications. Learn more about blocking users.

You must be logged in to block users.

Please don't include any personal information such as legal names or email addresses. Maximum 100 characters, markdown supported. This note will be visible to only you.
Report abuse

Contact GitHub support about this user’s behavior. Learn more about reporting abuse.

Report abuse
danielplohmann/README.md

Hi! I'm Daniel and I do research around (malware) reverse engineering and analysis automation.

The root and motivation for most of my projects is Malpedia, a a resource for rapid identification and actionable context when investigating malware. It was launched in December 2017 by Steffen Enders and me and is maintained by us ever since.

SMDA is a minimalistic recursive disassembler, which internally uses capstone. It was created to study and improve heuristics for function entry point detection, especially in memory-mapped buffers and shellcode.

MCRIT is the MinHash-based Code Relationship & Investigation Toolkit, a binary code similarity analysis framework. It uses SMDA as its built-in disassembler, and picblocks for the hashing of basic blocks. For easy deployment, it comes as docker-mcrit, including its web UI mcritweb.

To filter out library code during analysis, we created mcrit-data, a collection of reference library code for various compilers (MSVC, MinGW, Go, Nim, ...) and commonly found 3rd party libraries. For this, the support tool lib2smda was created, which can be used to convert LIB/OBJ files into SMDA reports, which can then be imported into MCRIT. Empty MSVC was a pre-cursor to this, which is a collection of "empty main()" Visual Studio projects, compiled with various options - which can also serve well as ground truth for commonly found compiler/library code.

During my research on dynamic Windows API imports in malware, I wrote ApiScout. It's a method/tool to reliably recover such dynamic imports and make them usable in other tools. We also showed that the entirety of Windows API imports used by a malware family can be used effectively for its identification.

In 2012, I created IDAscope, an IDA Pro plugin that provides various convenience functionality during reversing. It was one of the first plugins which extensive rich use of PySide/PyQt in IDA and served as a template for many others.

Over the years, I occassionally wrote some blog posts, which cover many of the above projects or aspects of them in detail.

If you want to support my work, I would be happy if you'd buy me a coffee.

Pinned Loading

  1. apiscout apiscout Public

    This project aims at simplifying Windows API import recovery on arbitrary memory dumps

    Python 241 41

  2. smda smda Public

    SMDA is a minimalist recursive disassembler library that is optimized for accurate Control Flow Graph (CFG) recovery from memory dumps.

    Python 227 36

  3. idascope idascope Public

    An IDA Pro extension for easier (malware) reverse engineering

    Python 110 17

  4. mcrit mcrit Public

    The MinHash-based Code Relationship & Investigation Toolkit (MCRIT) is a framework created to simplify the application of the MinHash algorithm in the context of code similarity.

    Python 86 12

  5. docker-mcrit docker-mcrit Public

    Dockerized Setup for the MinHash-based Code Recognition & Investigation Toolkit (MCRIT)

    Python 15 3