One of the ideas we had was, wouldn't it be useful to use the Maltego visualisation and data mining engine on Windows binaries? This is sort of a cool concept, but what useful information could we extract? Some braining storming later and we thought that in modern software development the end products we install can be made up of software components from many different vendors. So we thought if we extract this information we can start seeing relationships between:
- Software publishers
- Code signers
- Geographic locations
- Third/fourth party component providers
So we wrote a set of prototype Maltego local transforms to extract information from Windows binaries. The ones we created are:
- Code signer and vendor company (from signature and binary details)
- Binaries signed/produced by a company (inverse of the above)
- Calculating file hashes
- String extraction
As I said the goal was really to prove an idea and understand the value of both the visualization and the ability to leverage Maltego’s existing transforms to further mine data and relationships in relation to binaries. We see these plug-ins could be used as-is by organizations wishing to:
- Understand the make up in terms of software publishers of an application / package
- Identify code trust relationships between organizations
- During malicious code analysis to identify sources of strings found in a binary (i.e. code fragments)
Anyway without further ado we've put together a rough little demo video of some of the transforms we wrote to give you an idea.
During the development we also wrote a C# helper class to expedite local transform development. For example a very basic test case is now:
So that's it, idea to prototype in a single blog post..
If you’re interested in these plug-ins and what we’re doing with Maltego feel free to prop us an e-mail to firstname.lastname@example.org or contact us via Twitter @RecxLtd. We’ll happily share the plug-ins as-is with source code with interested parties.