This repository contains the reference implementation for the Smoke and Mirrors (SaM) sandbox, a dynamic analysis system for OT malware triage. SaM combines dynamic binary instrumentation, protocol-aware network simulation and coverage-guided fuzzing to systematically explore OT malware control flow.
Running SaM yields a Network-Event Tree (NET): a compact behavioural profile for the malware sample, capturing network interactions aggregated across many executions with different simulated network environments.
Here, we run SaM against a real-world OT malware sample, Triton. Seeded from a single PCAP file, SaM navigates deep response-gated branches - revealing previously undocumented functionality missed by prior expert analysis (shown in red).
Running make at the root of the repo will build Navigator natively (for your current OS) and will build libinject for Windows.
cargo run -- --help for documentation (on the CLI) for the navigator repo
Follow the build instruction for 32-bit builds, then ensure that a suitable 32-bit target is passed to cargo run.
For example:
cargo run --target i686-pc-windows-msvc --release -- --mutator-lib C:\path\to\navigator\winafl-netspoof\build32\bin\Release\mutator.dll --coverage-module prove_fuzzing_capability_32.exe --target-module prove_fuzzing_capability_32.exe --nargs 2 --target-path C:\Users\shared\prove_fuzzing_capability_32.exe --target-opts 192.2.2.2
To execute the tests in the navigator crate, run cargo test -p navigator.
Navigator generates the following outputs:
- Detailed execution log
- Network Event Tree diagram in dot format,
digraph.txt
Each fuzzing run also generates the following additional outputs:
- WinAFL log,
afl.<exe info>.proc.log - Fuzzing payloads log (PCAP),
fuzzing_pcap.txt
A rust project with a library and binary crate. The binary will be the main entrypoint to analyse a malware sample.
A CMake project that will compile to a Windows dll.
This dll is a DynamoRio tool/client that the navigator will provide configurations for. The entry point for an instrumented run of the target binary is a DynamoRIO program (drrun.exe) that links with a desired tool/client dll (e.g our inject.dll).
A CMake project (and git submodule) that will compile two Windows dll's (winafl.dll and mutator.dll) and a binary (afl-fuzz.exe). afl-fuzz.exe is the main entrypoint for a fuzzing session - it runs many DynamoRIO subprocesses, using winafl.dll as the tool/client each time.
afl-fuzz.exe also links with mutator.dll, which provides a custom mutator for fuzzing candidates.
A rust static library which is linked with inject.dll and winafl.dll.
This can only be compiled for a Windows target. All the "interesting" instrumentation logic for the two DynamoRIO tools/clients is written in Rust in libinject.
Libinject has prebuilt bindings for the DynamoRio C library
Visit our documentation site for more details, including a Getting Started guide, information for developers and researchers and an API reference.
If you use SaM in academic work please cite:
@article{sam2026,
title={Smoke and Mirrors: Systematic OT Malware Elicitation},
author={Ed Chapman (Alan Turing Institute), Matthew Rodda (Defence Science and Technology Group), Helen Little (Alan Turing Institute), Tim Hobson (Alan Turing Institute), James Bishop (Alan Turing Institute), Vasilios Mavroudis (Alan Turing Institute)},
year={2026},
archivePrefix={arXiv}
}