Sysinternals Homepage
Forum Home Forum Home > Windows Discussions > Development
  New Posts New Posts RSS Feed - Heuristics ideas.
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

Heuristics ideas.

 Post Reply Post Reply
Author
Message
Mad_guy View Drop Down
Newbie
Newbie


Joined: 30 September 2005
Status: Offline
Points: 26
Post Options Post Options   Thanks (0) Thanks(0)   Quote Mad_guy Quote  Post ReplyReply Direct Link To This Post Topic: Heuristics ideas.
    Posted: 06 December 2005 at 9:22pm
I'm sure many of you have all used IDA Pro before, it's an exceptional program and a masterpiece. It can detect signatures of binary files for miles on end and so on and so on.


The thing is, IDA can detect certain signatures within an analyzed binary file to conduct it's heuristics analysis and narrow down on some possible file types it should decompile them into. Seeing how that wasn't really writing with words, I'll state it another way: given a binary, IDA analyzes it and finds possible file formats, and once you select one, it decompiles it appropriately.

Basically I was wondering if anybody here knew a reliable way to replicate something like that. I was thinking of doing a regexp type match and having things that identify the file hardcoded and then have anything that can be variable (such as the machine type in the PE header of a EXE) marked as such, however, I realized that I would have to do further heuristics analysis over the binary, because for example, ELF files always have the "ELF\177" signature in their binary, if I load an ELF file and it doesn't have that it could simply be a slightly-altered ELF. Therefore if it was say, if that signature was "ELF\143" I could note the 'ELF' part and mark it as 'possibly ELF' in an internal array or somesuch (or mark a flag etc. etc.) and then after I got analyzing my possibles I could do more heuristics on it, for example if it could be for some weird-ass reason a possible EXE and a possible ELF then I could do more PE-related checks and then do more ELF-related checks and see which comes out with more a higher probability level.

Does anybody know of a possibly simpler way to do this? Regexp-based matching and narrowing down is the only thing I could really think up truth be told. This might be the simplest solution, but my concious always tells me that "The most elegent solution is found only after the problem is solved."
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down