What could be more tedious, when starting the reverse engineering of a binary, whether for a vulnerability search or a malware scan for example, to have to start by finding the known code?
In some firmwares, where there are no debug symbols and the OS is proprietary, one can spend several months just to identify the essential functions (memcpy, print to uart…).
GLIMPS-Audit allows to pass this step in a few seconds. A binary pushed is immediately compared to millions of libraries and other binaries that we have collected and for which we have the symbols. In a few seconds, we see which code is included in the binary, and we can repatriate the documentation to our new analysis.
In our example, we have an elf with 14000 functions, of which only 2 are identified by IDA: “_init_proc” and “_term_proc”. Under normal circumstances, it looks like it’s going to be a long day…
The following screenshot shows the situation: