Skip navigation.

VERA - Visualizing Executables for Reversing and Analysis

VERA is a tool for reverse engineering Windows executables. It is used in conjunction with the Ether framework to generate visualizations to help with the RE process.

Vera Executables 0.31 - Binaries to run VERA and generate graphs. (updated 02/07/2011)

ShmooCon 2011 - Visual Malware Reversing - How to Stop Reading Assembly and Love the Code
Visualizing Compiled Executables for Malware Analysis - Vizsec 2009 Best Paper - Describes VERA in detail. BibTeX
Reverse Engineering by Crayon Slides from the Blackhat USA 2009 talk.

If you're going to try and use Ether (which you definitely should) make sure you run Debian Sarge (or Etch or Lenny) with a 64-bit installation. From there the installation instructions from the Ether site should be all you need.

Read more for usage instructions.

To use the Vera code, you'll need to execute Ether with the instrtrace option and the binary you want to analyze. To do that, simply start your Xen Windows image.

xm create /etc/xen/your-windows-config.cfg

Once it is completely booted, copy your file on the system. From there you will need to start ether. The command-line to use is:

./ether ID_GOES_HERE instrtrace file-to-analyze.exe > file-to-analyze.trace

Start the executable on the virtual machine. Let it run for a little while and then kill the process inside of your virtual machine. Once that is done, copy the .trace file to your windows box.

The next step will be to run gengraph.exe on the resulting file. You will need the tracefile and the original executable in order to properly parse it.

gengraph.exe file-to-analyze.trace file-to-analyze.exe file-to-analyze.gml

This will generate two files: all-file-to-analyze.gml and bbl-file-to-analyze.gml. Now it's time to use the VERA program. You can simply open the GML files and begin exploring the file.

I hope you find it useful. If you run into problems please feel free to email me. dquistoffensivecomputing(DoOT)net.

Sharing code

Hi Danny.

Thank you so much for contributing this awesome project to malware analyzing community.

I want to ask you a question: Are you willing to share it's code and let some other people to help you in this project and contribute ideas and codes?

Personally I have some ideas and some changes to do in VERA code, what do you think?

Are you willing to share it via SVN repository like google code or GitHub?



VeraTrace isnt yet released ?! i thought VERA doesnt need damn ether anymore...

btw, great job!

im just sorry! i hadnt watched the conference video yet :P