Finding Xori: Malware Analysis Triage with Automated Disassembly

Zouri is a fast and stable disassembler that can identify junk code versus data and enumerate control flow. It uses byte regex to add more name info to compiled programs and has built-in signatures for standard function headers. Zouri is capable of outputting 5.3 gigabytes of JSON, which can be used for various purposes such as searching for specific functions or putting on the blockchain.

• Zouri is a fast and stable disassembler that can identify junk code versus data
• Zouri uses byte regex to add more name info to compiled programs
• Zouri has built-in signatures for standard function headers
• Zouri is capable of outputting 5.3 gigabytes of JSON
• The JSON output can be used for various purposes such as searching for specific functions or putting on the blockchain

Zouri was able to enumerate control flow very nicely and quickly, and it was able to identify padding after a non-returning call or after returns. It also had loop tracking to prevent infinite loops. However, Zouri still needs help with building pattern files or signature files. Overall, Zouri is a powerful tool for disassembling programs.

In a world of high volume malware and limited researchers we need a dramatic improvement in our ability to process and analyze new and old malware at scale. Unfortunately what is currently available to the community is incredibly cost prohibitive or does not rise to the challenge. As malware authors and distributors share code and prepackaged tool kits, the corporate sponsored research community is dominated by solutions aimed at profit as opposed to augmenting capabilities available to the broader community. With that in mind, we are introducing our library for malware disassembly called Xori as an open source project. Xori is focused on helping reverse engineers analyze binaries, optimizing for time and effort spent per sample. Xori is an automation-ready disassembly and static analysis library that consumes shellcode or PE binaries and provides triage analysis data. This Rust library emulates the stack, register states, and reference tables to identify suspicious functionality for manual analysis. Xori extracts structured data from binaries to use in machine learning and data science pipelines. We will go over the pain-points of conventional open source disassemblers that Xori solves, examples of identifying suspicious functionality, and some of the interesting things we've done with the library. We invite everyone in the community to use it, help contribute and make it an increasingly valuable tool for researchers alike.