EDITOR’S NOTE: This guest-post was brought to you by unknowntrojan, shedding light on one of the lesser-known plugins, coolsigmaker.
A common desire in reverse engineering is to match re-used code across multiple binaries. Whether you’re doing malware lineage tracking, identifying a statically compiled library, or any other use case about identifying similar code, there are multiple technologies that attempt to solve parts of this problem. Other tools for related problems include SigKit (Binary Ninja’s static library detection), IDA’s FLIRT/FLAIR and Lumina features, or even more advanced systems like Diaphora or BinDiff.
Related to those, you might already be familiar with the “SigMaker” style of plugins for various platforms[1] [2] [3]. These plugins generate patterns from code that can be used to find said code across different binaries or find the same function reliably between application updates. This is useful for malware classification and static-library identification among other purposes.
binja_coolsigmaker is just that: a fast and reliable “SigMaker” plugin for Binary Ninja.
Read more...