Overview

Supported formats

How to build

Version history
GUI

Command line

XML project
All rules

PE001

PE002

PE003

PE004

PE005

PE006

PE007

PE008

PE009

PE010

PE011

PE012

PE013

PE014

PE015

PE016

PE017

PE018

PE019

PE020

PE021

PE022

PE023

PE024

PE025

PE026

PE027

PE028

PE029

PE030

PE031

PE032

PE033

PE034

PE035

PE036

PE037

PE038

PE039

PE040

PE041

PE042

PE043

PE044

PE045

PE046

PE047

PE048

PE049

PE050

PE051

PE052

PE053

PE054

PE055

PE056

PE057

PE058

PE059

PE060

PE061

PE062

PE063

PE064

PE065

PE066

PE067

PE068

PE069

PE070

PE071

PE072

PE073

PE074

PE075

PE076

PE077

PE078

PE079

PE080

PE081

PE082

PE083

PE084

PE085

PE086

PE087

PE088

PE089

PE090

PE091

PE092

PE093

PE094

PE095

PE096

PE097

PE098

PE099

PE100

PE101

PE102

PE103

PE104

PE105

PE106

PE107

PE108

PE109

PE110

PE111

PE112

PE113

PE114

PE115

PE116

PE117

PE118

PE119

PE120

PE121

PE122

PE123

PE124

PE125

PE126

PE127

PE128

PE129

PE130

PE131

PE132

PE133

PE134

PE135

PE136

PE137

PE138

PE139

PE140

PE141

PE142

PE143

PE144

PE145

PE146

PE147

PE148

PE149

PE150

PE151

PE152

PE153

PE154

PE155

PE156

PE157

PE158

PE159

PE160

PE161

PE162

PE163

PE164

PE165

PE166

PE167

PE168

PE169

PE170

PE171

PE172

PE173

PE174

PE175

PE176

PE177

PE178

PE179

PE180

PE181

PE182

PE184

PE185

PE186

PE187

Graphical user interface

Binary Valentine provides the fully featured graphical user interface (binary-valentine-ui), which allows to scan files and folders, and create, edit and save projects.

The interface is tab-based, meaning that you can open or create several projects at the same time.

Compared to the Command line utility, the GUI executable is fully autonomous and does not require any additional files from the data subfolder to run (all necessary files are embedded into it).

Home page
Project settings
Global selector
Report filter
Targets to scan
Specific target to scan
Report outputs
Scan
Saving the project

Home page

The home UI page allows to create and open projects, and to scan files and folders without creating a project in advance. It also supports drag-and-drop: you can drop any number of files and folders on it to do a quick analysis. If you drop an xml file, Binary Valentine will try to load it as a project.

Project settings

When creating a new project or opening an existing one, and also when trying to analyze files or folders without creating a project in advance, you will see the following UI:

The tab name will show either "New project" or the corresponding project file name. It will be in bold if you have made any changes to it since opening.

On the "Project settings" tab, you can set the following options:

Root path - this path will be used as a root path for all relative paths used in project. If absent, a current directory path will be used as a root path.
Combined analysis - by default, Binary Valentine performs both single-executable and cross-executable analysis. Cross-executable rules detect issues across all executables which are being scanned within a single project. For example, there are rules which detect PE version information inconsistencies across all analyzed files.
Analysis threads and Analysis thread count - Binary Valentine is a multithreaded application, and it allocates a number of threads which corresponds to the number of processor cores by default. Each file is analyzed by a separate thread, and there is also a common thread which loads the files. This option can be enabled to override the default number of threads used by the program.

You can also override the default File analysis limits. By default, Binary Valentine may load up to 1 gigabyte of data in memory. When a preloaded file gets analyzed and freed, Binary Valentine reads another file with the total size of loaded files not larger than 1 Gb. If needed, you can customize this behavior:

Limit loaded files size - This option can be specified to override the maximum amount of memory to use for preloaded files waiting for analysis.
Limit number of loaded files - Instead of limiting the preloaded data by size, you can limit the amount of simultaneously loaded files using this option.

Global selector

This page allows to set up the rule selection which will be used during the analysis. Using this page, you can filter out particular rules, issue levels and categories, as well as set up rule-specific filtering by report messages.

Binary Valentine UI global rule selector

Using the Report selection option, you can either exclude some reports from analysis, or include only the selected reports. You can group reports by rules which provide them to facilitate navigation.

With Report level selection and Report category selection, you can disable some report levels and report categories.

With Custom report filters, you can create a report filter for a specific report. The filter will exclude the report if its output does not match the regular expressions you provided. The next section describes the corresponding UI page.

Report filter

This page is specific to each report and can be added from the rule selector page (either Global or target-specific).

In this example, the filter target is the PE082 rule, which is the "Deprecated WinAPI import" rule.

The input fields specify the case-sensitive ECMAScript regular expressions. In the example above, the filter will match if any of the two included regular expressions match the report output. The first one matches the dll report output argument, the second one - the api report output argument. As the mitigation regex is empty, it does not participate in filtering. You can see the full template of the report message (including arguments) in the Report description text label.

Overall, you can read this report filter as follows: exclude all reports from the PE082 (Deprecated WinAPI import) rule if any of the following regular expressions match the report output:

The DLL name matches kernel32.dll. This will filter out all deprecated WinAPI imports from kernel32.dll.
The API name matches RegOpenKey[AW]. This will additionally filter out functions with names which match the RegOpenKey[AW] regular expression (e.g. RegOpenKeyA, RegOpenKeyW).

Targets to scan

This page allows you to add targets to be analyzed. Targets can be files and directories.

You can either use the File or folder to add input field to specify the path manually, or just drag-and-drop the files and folders on the area below that field.

When adding targets, you can either use absolute paths, or relative ones. In the latter case, the absolute path will be computed by concatenating with the root path (see Project settings).

Specific target to scan

For each target (either a file or a directory) added to the project, there will be a separate page with analysis options.

You can scan the target recursively (applicable to directories) by enabling the Scan recursively option.

You can convert the target path from absolute to relative to the root path and vice versa by clicking the Use relative path and Use absolute path. Root path can be set up on the Project settings page.

In the Path filters section, you can specify one or more ECMAScript regular expressions to filter out paths during analysis (which is applicable to directories). The filter on the screenshot above will include only the dll files from the C:/Windows/System32 directory. Note that the regular expressions are case sensitive.

By clicking the Set up target-specific rule selector button, you can override the rule selector for the target. If no target-specific selector is specified, the global one is used. Otherwise, the target-specific one is used. The target-specific rule selector page interface is almost identical to the Global selector interface and will not be separately documented.

Report outputs

On this page, you can specify the report outputs. These include the terminal output (when doing the analysis via the Command line) and any number of text or SARIF output files.

On the screenshot above, the terminal output is turned on, and the report will additionally be saved to the report.txt plaintext file (which will be created in a path relative to the project root path).

When running the analysis within the GUI, you will be also able to see the reports directly in the UI in real time.

Scan

On this page, you can perform the analysis based on the project settings.

You can use the Start executables analysis button to kick off the analysis. After that, you will see the report and the analysis progress in real time. To stop the ongoing analysis, you can click and hold the corresponding button.

After the analysis had finished, you will see all files with at least one detected issue. You can filter the issues by levels and categories.

By selecting a specific file in the Reports list, you can view the issues detected for that file. Selecting a specific issue will show its detailed description with a link to this website, which suggests potential mitigations for every issue.

You can re-run the analysis any number of times.

Saving the project

By pressing Ctrl+S (Windows) or selecting the File - Save project or Save project as... menu, you can save the current project into an xml file. The project would be usable across the Binary Valentine GUI and the Command line variants.

Graphical user interface#

Home page#

Project settings#

Global selector#

Report filter#

Targets to scan#

Specific target to scan#

Report outputs#

Scan#

Saving the project#