MicroSCOPE is a command-line software that is used to statically analyze any ELF (*nix) or PE (Windows) binary program. MicroSCOPE applies heuristics to look for any features that might identify the program as ransomware.
The project was developed following modern software engineering techniques, preferring an incremental approach. The programming language used was Go, which is powerful, versatile and has a syntax very similar to C; Go allowed the software to be written in a few weeks.
Following are some features of the MicroSCOPE program:
- Parsing of the binary file format Portable Executable.
- Checks for correctness of the binary header.
- Calculating entropy of sections.
- Parsing of the import section.
- Parsing of resources
- Parsing of the export section
- Parsing of the TLS section
- Parsing of the debugging section
- Parsing of the binary file format Executable Linkable Format.
- Correctness checks of the binary header.
- Calculating entropy of the sections.
- Parsing of the Symbol Table section.
- String extraction
- Application of heuristics.
- Heuristics on headers
- Heuristics on sections
- Heuristics on imports
- Heuristics on strings
- Disassembly of the .TEXT section (WIP).
Documentation and code are available through the Github platform.