Binary Analysis
CIAT 1.0 release Aug 13 2008 05:41PM
Omar Herrera (oherrera prodigy net mx)
I would like to announce the first release of the Cryptographic
Implementations Analysis Toolkit (CIAT). This Toolkit is a compendium of
command line
and graphical tools whose aim is to help in the detection and analysis
of encrypted byte sequences within files (executable and
non-executable). It is particularly helpful in the forensic
analysis and reverse engineering of malware using cryptographic code and
encrypted payloads.

The following is a quick summary of the tools included:

- CryptoLocator
CryptoLocator allows the detection of pseudo-random byte sequences
within mixed content
files. It was designed specifically to detect encrypted payloads within
malware executables, but
it can be used for other purposes, such as detecting encrypted
communications or verifying the
output quality of closed source encryption software. Algorithms come
from NIST's SP800-22.

- CryptoCodeDetector
CryptoCodeDetector is a tool specifically designed for analysis of PE
executables (only 32 bit
executables are currently supported). It was created to locate code
references to encrypted
payloads within malware (i.e. those identified by CryptoLocator in
executable files), but it can be
used also to search for any reference to any location within a range in
the file being analyzed.

- CryptoVisualizer
This is a very simple interactive tool that allows you to see
graphically any file. It was designed
to aid human researchers to quickly pinpoint probably pseudorandom
sequences. Of course,
this is not a robust technique, but it helps. Source code, executable
code, text and other forms
of non pseudo-random content in files are also easily identifiable with
this tool since bytes
forming those kind of contents tend to fall within a certain range or
form visually identifiable

- CryptoID
CryptoID is a tool that implements two algorithms: one that assesses the
degree of randomness
and one that assesses the degree of encryption (for byte sequences that
are found to be
random). Both are based on statistics from Fractional Fourier Transforms
applied to the byte
sequences being analyzed.

The toolkit is currently available at A zip file with both Windows
binaries and source code is available (sorry, no makefiles for the
moment). It is being released under the GNU GPL version 3 licence so
that others in the field may benefit from these tools and the techniques
they implement.

Kind regards,

Omar Herrera

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus