{"id":13760,"date":"2017-01-13T18:48:31","date_gmt":"2017-01-13T17:48:31","guid":{"rendered":"https:\/\/codisec.com\/?p=13760"},"modified":"2023-03-22T16:29:58","modified_gmt":"2023-03-22T15:29:58","slug":"binary-visualization-explained","status":"publish","type":"post","link":"https:\/\/codisec.com\/binary-visualization-explained\/","title":{"rendered":"Binary visualization explained"},"content":{"rendered":"

Veles visualizations are purely statistical representations of binary data. We take a sequence of bytes and visualize correlations between certain values. It doesn’t matter if it’s an executable file, a picture or a disk image – from the perspective of visualization any file is just a sequence of bytes.<\/p>\n

There are a few different visualization modes supported by Veles: digram, layered digram and trigram. Let’s explain them one by one.<\/p>\n

Digram<\/h2>\n

In digram visualization we look at all 2\u2011byte sequences (digrams) and compare their relative frequency in the file. We treat each 2\u2011byte sequence as pair of coordinates that we draw on a 2d surface. Let’s imagine a tiny example file made of following bytes:<\/p>\n

02 03 05 01\r\n<\/pre>\n
To create a digram visualization we iterate through the file and list all the 2\u2011byte sequences we encounter: <2, 3>, <3, 5>, <5, 1>. We treat each pair as a 2d coordinate of a point we put in our visualization. The result is shown on the diagram below:<\/p>\n
\"\"<\/div>\n
Note that each byte (except the first and the last one in the file) is used twice, once as a coordinate on x\u2011axis and once on y\u2011axis.<\/p>\n
Of course real files are much larger and contain many digrams. In Veles the brightness of each point is determined by the relative frequency of each digram in the file. The most common ones will be white, while those encountered only a few times will be very dim, almost completely black. Let’s take a look at a few examples:<\/p>\n