|
A few disassembled files are provided to demonstrate how DOC works. These files are located in the
edu.louisiana.cacs.DetectObfuscation project, under the Samples folder.
With DOC running, these files can be loaded by selecting File->New Project and choosing the
new Obfuscation Detection project wizard.
Below is a listing of the files along with a description of each.
delayloop.asm
|
Wastes CPU cycles in an attempt to trick emulators into thinking the file does nothing.
Because DOC uses abstract interpretation, it is not vulnerable to such tactics.
|
evol.a.asm
|
The Evol.a virus. Some instruction have been modified to work with DOC's present limitations.
|
sample1.asm
|
Very simple, easy-to-follow code.
|
sample2.asm
|
More simple code.
|
sample3.asm
|
More simple code. Return address is modified at instruction 00401020.
|
sample4.asm
|
Slightly more complicated. Uses Return to make a system call.
|
unbalanced.asm
|
Loop with more POPs than PUSHes. Demonstrates the
case where the abstract stack graph contains a loop.
|
unbalanced2.asm
|
Loop with more PUSHes than POPs. Demonstrates the
case where the abstract stack graph contains a loop.
|
|