Malware Analysis and Static Call Graph Generation with Radare2

Abstract

"A powerful feature used in automated malware analysis is the static call graph of the executable file. Elimination of sandbox environment, fast scan, function call patterns beyond instruction level information – all of these motivate the prevalence of the feature. Processing and storing the static call graph of malicious samples in a scaled manner facilitates the application of complex network analysis in malware research. IDA Pro is one of the leading disassembler tools in the industry and can generate the call graph via GenCallGdl and GenFuncGdl APIs – a tool which was used in our previous works. In this paper an alternative analysis method is presented using another disassembler tool, Radare2, an open-source Unixbased software, which is also frequently used in this domain. Radare2 has Python support (among other languages), via the r2pipe package, thus enabling full scalability on Linux-based servers using containerized solutions. This paper offers a detailed technical description on how to use Radare2 to generate the static call graph of a PE file and a thorough comparison with the output of IDA Pro, as well as a public dataset on which the experiments were carried out. 2010 Mathematics Subject Classification. 68P25, 68P30. 1998 CR Categories and Descriptors. D.4.6 [Security and Protection]: Subtopic – Invasive software. Key words and phrases. malware analysis, static call graph, radare2, IDA Pro."