Tool designed to extract PE methods into matrix and compare them with other methods.
Still in progress
- Extract CFG
- Export Graph -> png
- Save graph -> gml
- Similarity / Hash /Distance
- Load new graph
- Graph Matching
- Hash basic bloc (LSH)
- Subgraph distance / Matching
Displays the methods of the binary and the corresponding matrices. Matrices are limited to 9 nodes.
python MalwareGraph.py notepad.exe
fcn.1400025bc
[[0. 1. 1. 0. 0. 0.]
[0. 0. 0. 1. 1. 0.]
[0. 1. 0. 0. 0. 0.]
[0. 0. 0. 0. 0. 1.]
[0. 0. 0. 1. 0. 0.]
[0. 0. 0. 0. 0. 0.]]
Method Node
1 fcn.140001a20 5
2 fcn.1400022f8 2
3 fcn.140001c6c 5
4 fcn.1400010dc 1
6 fcn.140001cd0 5
7 fcn.140001de0 4
9 fcn.140001424 3
10 fcn.140001188 5
11 fcn.140001cac 1
12 fcn.140002418 7
13 fcn.140002470 1
14 fcn.1400024d0 4
16 fcn.140001cf4 5
17 fcn.1400023bc 7
18 fcn.140002530 5
19 fcn.140002480 6
20 fcn.1400025bc 6
Export all the graphs of the binary methods in gml format
python MalwareGraph.py ../calc.exe -e
Analyse imported graph with all graphs from another PE file
python MalwareGraph.py ../../Downloads/7a9130960b9ac94c4de7ce836d61e3bbd2b6602aab647e22bf032ae1f2ae0acf -i _fcn.08060b13.gml
['../../Downloads/7a9130960b9ac94c4de7ce836d61e3bbd2b6602aab647e22bf032ae1f2ae0acf']
Number of methods : 42
Function Name GED node Isomoprhism Bipartite weisfeiler_lehman
0 fcn.140019170 4.0 5.0 0.0 1.0 350046f1109d8ea041fafd5f3a6cc4da
1 fcn.140014d30 0.0 5.0 1.0 0.0 83bf2a2d3b9b37e8fda10ae3ad1036d3
2 fcn.140014fbc 0.0 5.0 1.0 0.0 83bf2a2d3b9b37e8fda10ae3ad1036d3
3 fcn.1400198ec 3.0 5.0 0.0 0.0 a6c19f0406574ffbb0c9a0d9217f3af8
4 fcn.14001497c 0.0 5.0 1.0 0.0 83bf2a2d3b9b37e8fda10ae3ad1036d3
5 fcn.140019620 4.0 5.0 0.0 0.0 cb3c705f08b23c57016714b3cf26711d