MCPcopy Create free account
hub / github.com/0xPhoeniX/MazeWalker

github.com/0xPhoeniX/MazeWalker @v0.2

Chat with this repo
repository ↗ · DeepWiki ↗ · release v0.2 ↗ · + Follow
300 symbols 848 edges 81 files 29 documented · 10% updated 4y agov0.2 · 2017-08-18★ 1697 open issues

Browse by type

Functions 272 Types & classes 28
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

Overview

MazeWalker’s goal is to reduce malware analysis time by automating runtime data collection and better visualization eventually helping a researcher to concentrate on static analysis and less on its dynamic part.

  • Packed code - MazeWalker monitors all memory areas where code execution took place, to be able to reconstruct the whole execution later. If there was a code change in the already monitored area (runtime code decryption), then the new version will be saved too, for later analysis. This approach appears to be useful for general code unpacking.

  • Position independent code - to solve indirect control flow change issues (jmp eat, call [eax], etc.), the instruction reference address and the control flow change target address are collected for later usage during static phase.

  • System APIs - it's no secret, that knowing system API parameters that were used during execution could be helpful in understanding malware internals and overall purpose. So, MazeWalker has a Python-based API call site analysis to save or alter API's params that were used. More could be read on the dedicated wiki page.

  • Code coverage - MazeWalker collects the list of all basic blocks that were executed, in all monitored processes. This information is used to assist code navigation latter by marking control flow graph in IDA database.

  • Code dispersion - most malware today will use code injection and distribute itself into different process on the system. MazeWalker is able to follow those injection paths and collect data in all processes, to show a more clear picture of sample behaviour.

  • Environment Detection - a lot of anti-research techniques are based on the gathered information by various system APIs. As MazeWalker's API interception abilities are script-based, it is very easy to add new anti-anti-research countermeasures (wiki).

  • Visualization - all collected runtime information is processed by a IDAPython plugin and presented in more (hopefully) meaningful way. The new way of visualization, takes into account the runtime information and shows how the code was executing per-thread view. This way helps more logically understand the design of the program and further focus on a particular task.

  • Focus - in case there is some particular topic of interest for the analyzed sample (Network interaction), there is a way to filter out the execution data and focus only on the specifics of the research.

Design

MazeWalker is based on Intel's Pin framework for runtime data collection and IDAPython for in-IDA visualization.

Usage

Please refer to wiki for detailed explanation.

Core symbols most depended-on inside this repo

Shape

Function 227
Method 45
Class 26
Enum 2

Languages

C42%
Python37%
C++21%

Modules by API surface

MazeTracer/src/parson.c125 symbols
MazeUI/mazeui/core/MazeAnalysis.py14 symbols
MazeUI/mazeui.py14 symbols
MazeTracer/src/pe.cpp14 symbols
MazeUI/mazeui/widgets/MazeWalkerWidget.py13 symbols
MazeTracer/src/log.cpp8 symbols
MazeUI/mazeui/core/helpers/ui_hooks.py7 symbols
MazeTracer/src/mazewarker.cpp7 symbols
MazeTracer/src/mazewarker.h6 symbols
MazeUI/mazeui/widgets/CustomWidget.py5 symbols
MazeTracer/src/parson.h5 symbols
MazeTracer/src/memory_log.cpp5 symbols

For agents

$ claude mcp add MazeWalker \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact

Ask about this repo answers extend the page