Detecting Cryptography through IR Visualization

The detection of important functionality in binaries is a complex and time consuming task in reverse engineering and malware analysis. Especially cryptographic routines as part of an executable are of interest to an analyst. There are already several automated techniques for finding cryptography within a binary available, ranging from static signatures detection to dynamic behavioural observation. This paper presents a novel approach for functionality detection through the disassembly of binaries, lifted into an intermediate representation (IR). A visualization of the IR then aids an human analyst to find functionality. We evaluate the approach with a binary containing the libgcrypt cryptographic library. The results suggest this to be another useful method for visual binary analysis.