Graph-theoretical investigation of a corpus of malware obtained from the web using mwcrawler. Named for Dénes Kőnig, who wrote the first textbook on graph theory.
python konig.py [OPTIONS]
OPTION LIST:
-d Directory of files to be hashed. Defaults to current directory if not specified.
-t Threshold of similarity before files are considered linked, on 0-100 scale. Defaults to 80 if not specified.
-o Output file for fuzzy hashes once calculated. Stored in JSON format.
-i Input file for previously-calculated fuzzy hashes. Must be in JSON format (e.g. created with -o above). Note that any files listed here will NOT be rehashed, even if they have changed.
-f Investigation file. Konig will calculate the graph, then present the connected component graph containing this file (everything related to it, directly or indirectly).
-e Export file. Save your graph as GraphML for use in other tools.
-n Do not plot (interactively). GraphML export is not affected by this switch.
Note that once the graph displays, you can click on the Zoom-to-rectangle button to select an area for closer examination. See the matplotlib docs for more information. Alternately, you can import the GraphML file into Gephi or similar.
Copyright 2013, Kyle Maxwell. Licensed under GPL v3. See LICENSE for more details.