Original Entry Point detection based on graph similarity

• The official source code for the paper "Original Entry Point detection based on graph similarity"
• This code is undergoing a refactoring process
• This code is for research purposes only

Requirements

• Python >= 3.7
• networkx 2.6.3
• PyGraphviz

Usage:

Dataset

• data: https://drive.google.com/file/d/1PPfADJnTPACcaqwzl1F6PdSsCzDPoloU/view?usp=sharing. (Put it under oep-detection folder)
• test_Gunpacker: https://drive.google.com/file/d/1Mt7ob_eYatPsKxCBPTq6qBMVSH660bjR/view?usp=sharing
• check_virustotal: https://drive.google.com/file/d/1pDg04V_NoXagZSj97nghNXz7Q5K5dpfp/view?usp=sharing
• log_be_pum_malware_all: https://drive.google.com/file/d/1t4NBAfvUEu8h417HeQ3CY4RY4BWTdC_N/view?usp=sharing

Evaluation

• Our method and BE-PUM run this command line:

python graph_based_method.py --log_path logs/graph_based_method9

• Packer identification by VirusTotal and PyPackerDetect
  Note: Change the path of folder "check_virustotal" and "test_Gunpacker" in the code.

python tools/packer_identification_others.py

• OEP detection by Gunpacker and QuickUnpack
  Note: Change the path of folder "check_virustotal" and "test_Gunpacker" in the code.

Gunpacker:
python tools/packer_identification_others.py
QuickUnpack:
python tools/OEP_detection_QuickUnpack.py

• Packer identification and OEP detection on malware samples:
  Change the path of "log_be_pum_malware_all" in the code

python tools/malware_inference.py

Template matching

sh scripts/running_[packer_name].sh

For example:

sh scripts/running_upx.sh

Template setup

Delete "end_of_unpacking_sequence.txt" before running

python standard_graph_construction.py