binstats

Statistics from our binary transformation framework. All files in this repo are Win64 binaries. No source code was altered in order to achieve these statistics. Furthermore no debug information (PDB, Map file, etc) was used to aid in the coverage statistics. Binaries in this repo were compiled with a wide range of compiler options (/O2, /GL, etc).

Layout

• asn1_dsa_internal_test/ - An OpenSSL test, you can find source here
• chrome - Main module for chrome (chrome.dll). This is the same binary as this one here in bintests
• clang-repl - clang's repl, read more here
• Discord - 64bit Discord 1.0.9157
• engine2 - Engine module from Counter-Strike 2
• Fibonacci - LLVM JIT example, source here
• hvix64 - Microsoft's Hyper-V Intel module
• libcrypto-3-x64 - OpenSSL (3.1.0) shared library
• LLJITWithOptimizingIRTransform - LLVM JIT example with optimizations, source here
• mpengine - Microsoft Windows Defender module. Alexei Bulazel reverse engineering of it
• MultiWorldDemo - Unreal Engine 5 demo game. Repo for the source is here. This is the same file as this one here.
• notepad++ - Main executable for notepad++ (8.4.8.0)
• ntdll.dll - ntdll version 10.0.19041.4522
• ntoskrnl - ntoskrnl version 10.0.10240.16384
• nvlddmkm - NVIDIA's GPU Driver 25.21.14.2591
• OrcV2CBindingsIRTransforms - Another LLVM JIT example, source here
• Signal - Signal main executable, version 7.4.0.0
• Telegram - Telegram main executable, version 5.7.2.0
• x64dbg - mrexodia (Duncan Ogilvie) x64dbg dll
• x64gui - mrexodia (Duncan Ogilvie) x64gui dll
• xul - Tor (aka Firefox) main dll xul, version 115.15.0.9012

Each folder contains the following files:

• func-info.csv - This is a CSV file that contains function and basic block information, including reference counts.
• func-leaaf.csv - Tells you the leaf status of every function we identified.
• results.png - Statistic results for the binary.
• [file name]-coverage.svg - The coverage statistics. Any function within the "transformed" catagory of the piechart can be obfuscated.
• [file name] - The binary file name, same as the folder name.

Generating Results

Requires python 3.x

pip install -r requirements.txt
python script.py

Special Thanks

Special thanks to mrexodia (Duncan Ogilvie) and the rest of the people who maintain x64dbg. We have spent thousands of hours building this binary transformation framework, many of those hours we spent in x64dbg.

TODO

• Size of the most referenced basic block
• Number of basic blocks in the largest function
• number of instructions in the largest function
• average function size
• add UEFI files (bootmgfw)
• Executable env column
• Extend data set and make visuals (1 and 2 var visuals)