VERA - Visualizing Executables for Reversing and Analysis
VERA is a tool for reverse engineering Windows executables. It is used in conjunction with the Ether framework to generate visualizations to help with the RE process.
Vera Executables 0.31 - Binaries to run VERA and generate graphs. (updated 02/07/2011)
ShmooCon 2011 - Visual Malware Reversing - How to Stop Reading Assembly and Love the Code
Visualizing Compiled Executables for Malware Analysis - Vizsec 2009 Best Paper - Describes VERA in detail. BibTeX
Reverse Engineering by Crayon Slides from the Blackhat USA 2009 talk.
If you're going to try and use Ether (which you definitely should) make sure you run Debian Sarge (or Etch or Lenny) with a 64-bit installation. From there the installation instructions from the Ether site should be all you need.
Read more for usage instructions.
To use the Vera code, you'll need to execute Ether with the instrtrace option and the binary you want to analyze. To do that, simply start your Xen Windows image.
xm create /etc/xen/your-windows-config.cfg
Once it is completely booted, copy your file on the system. From there you will need to start ether. The command-line to use is:
./ether ID_GOES_HERE instrtrace file-to-analyze.exe > file-to-analyze.trace
Start the executable on the virtual machine. Let it run for a little while and then kill the process inside of your virtual machine. Once that is done, copy the .trace file to your windows box.
The next step will be to run gengraph.exe on the resulting file. You will need the tracefile and the original executable in order to properly parse it.
gengraph.exe file-to-analyze.trace file-to-analyze.exe file-to-analyze.gml
This will generate two files: all-file-to-analyze.gml and bbl-file-to-analyze.gml. Now it's time to use the VERA program. You can simply open the GML files and begin exploring the file.
I hope you find it useful. If you run into problems please feel free to email me. dquistoffensivecomputing(DoOT)net.