GRAP - Define and Match Graph Patterns Within Binaries

Explore a powerful tool for malware analysis and binary code pattern matching in this conference talk from Recon 2017 Brussels. Learn about GRAP, a YARA-like detection tool that matches user-defined graph patterns against Control Flow Graphs (CFGs) of disassembled binary code. Discover how GRAP utilizes Capstone-based disassembly to generate CFGs and employs a simplified subgraph isomorphism algorithm for quick pattern matching. Gain insights into practical applications, including detecting generic patterns like loops and creating signatures for malware variants. Explore the IDA plugin that enables direct detection and browsing of matches within the GUI. Delve into the tool's Python bindings for creating scripts and extracting valuable information from matched instructions. Follow along as the speakers demonstrate real-world use cases, from command-line pattern detection to malware pattern creation and information extraction. Benefit from the expertise of Aurelien Thierry, a reverse engineer and forensics analyst at Airbus Defence & Space - CyberSecurity, and Jonathan Thieuleux, a junior malware analyst at Stormshield, as they share their knowledge on this open-source tool designed to enhance malware analysis capabilities.

Recon 2017 Brussels - GRAP: define and match graph patterns within binaries