Tbdisasm

Static disassemblers such as Ghidra and our own ddisasm are powerful, but encounter challenges with certain targets, including dynamically loaded code, obfuscated binaries, and packed binaries. Such features are common in malware, motivating the need for disassemblers that can handle them.

Tbdisasm, our trace-based disassembler, works by instrumenting and tracing a binary’s execution and constructing its disassembly based on this information. It produces output in our GTIRB representation, for easy compatibility with the rest of our binary analysis and transformation tooling.