Skip to content

How to use Glyph

Jump to bottom
Xenios edited this page Nov 26, 2022 · 14 revisions

How to use Glyph

Setup

https://github.com/Xenios91/Glyph/wiki/Setup

Creating a model

  1. On the home page to start a user should select "Click here to start" or the user can select the navbar link at the top called "Upload".
  2. Once a user is presented with the upload screen, a user can upload any ELF 32/64 bit binary shared object or executable to have analysis performed. When uploading this binary, if it is the first model being generated it will be required to be a model, as we need one to make predictions on.
  3. A model name will be required, this is just a reference to that machine learning model that is being generated so it can be used to run predictions against it.
  4. Next there is a drop down select field that currently only holds one type "Multi Class". This is the only current available type of classification available.
  5. Upon filling out the required fields a user can then upload their binary by selecting "Select your file". Upon a selection the binary will be uploaded and a model will be created. Note - Depending on the binary size, this may take a while. A status is available on the "View Models" page within the navbar.

Creating a prediction

  1. On the home page to start a user should select "Click here to start" or the user can select the navbar link at the top called "Upload".
  2. Once a user is presented with the upload screen, a user can upload any ELF 32/64 bit binary shared object or executable to have analysis performed. When uploading this binary, if it is the first model being generated it will be required to be a model, as we need one to make predictions on. If you have not completed this step, please see "Creating a model" above.
  3. The user will then need to uncheck the "Generate Model" box as we are not creating a model.
  4. A task name will then be required for predictions. A task name is simply a reference to the predictions made so they can be looked up once completed.
  5. A model will be required to be selected, in the "Select Model" drop down, a user will need to select the previously generated model to use for predictions to be made against.
  6. Within the "Select ML Class Type" drop down, a user currently will just leave it "Multi Class", as this is the only type currently supported.
  7. Finally, a user can select "Select your file" to select a binary shared object or executable to be uploaded. Note - Depending on the binary size, this may take a while. A status is available on the "View Predictions" page within the navbar.

Evaluating the generated models functions

  1. Within the navbar a user can select "View Models" and will be presented with a page showing the models generated/being generated and their current status.
  2. If the model generation task is complete, the user can then select the model name they wish to view.
  3. The user then will be taken to a page showing all available detected functions and their associated entry point address.
  4. A user can then select a function to view and will be taken to a page showing the associated decompiled C code the function contains.
  5. If the user wishes to delete a model, they can simply scroll to the bottom of the page and select "Delete" in which the model and associated predictions will be removed from Glyph.

Evaluating predictions

  1. Within the navbar a user can select "View Predictions" and will be presented with a page showing available predictions they can view within a table. This table contains two columns, one is the predicted function name (The name of the function from the model it was predicted to be) and another column containing the model that was utilized to generate these predictions.
  2. Upon selecting a prediction, the user will be presented with a table showing two columns the predicted function name (The name of the function from the model it was predicted to be) and the entry point within that binary where that function resides.
  3. Upon selecting a function name within the table, the user will be brought to a page showing two tables, one which is the associated decompiled C code from the models function, and another table showing the associated decompiled C code from the predicted function. Allowing a user to compare the prediction without the need of opening the function up in a RE tool such as IDA or Ghidra.
  4. If the user wishes, they can also delete all predictions from the associated task by going to the page referenced in step 2 and can select "Delete" at the bottom. Note - All task information including predictions associated with that task will be deleted, however the model will remain.
Clone this wiki locally