Skip to Main content Skip to Navigation
Conference papers

CoDisasm: Medium Scale Concatic Disassembly of Self-Modifying Binaries with Overlapping Instructions

Abstract : Fighting malware involves analyzing large numbers of suspicious binary files. In this context, disassembly is a crucial task in malware analysis and reverse engineering. It involves the recovery of assembly instructions from binary machine code. Correct disassembly of binaries is necessary to produce a higher level representation of the code and thus allow the analysis to develop high-level understanding of its behavior and purpose. Nonetheless, it can be problematic in the case of malicious code, as malware writers often employ techniques to thwart correct disassembly by standard tools. In this paper, we focus on the disassembly of x86 self-modifying binaries with overlapping instructions. Current state-of-the-art disassemblers fail to interpret these two common forms of obfuscation, causing an incorrect disassembly of large parts of the input. We introduce a novel disas-sembly method, called concatic disassembly, that combines CONCrete path execution with stATIC disassembly. We have developed a standalone disassembler called CoDisasm that implements this approach. Our approach substantially improves the success of disassembly when confronted with both self-modification and code overlap in analyzed bina-ries. To our knowledge, no other disassembler thwarts both of these obfuscations methods together.
Complete list of metadatas

Cited literature [32 references]  Display  Hide  Download

https://hal.inria.fr/hal-01257908
Contributor : Guillaume Bonfante <>
Submitted on : Monday, January 18, 2016 - 2:00:06 PM
Last modification on : Tuesday, December 18, 2018 - 4:48:02 PM
Document(s) archivé(s) le : Friday, November 11, 2016 - 9:53:34 AM

File

codisasm.pdf
Files produced by the author(s)

Identifiers

Collections

Citation

Guillaume Bonfante, Jose Fernandez, Jean-Yves Marion, Benjamin Rouxel, Fabrice Sabatier, et al.. CoDisasm: Medium Scale Concatic Disassembly of Self-Modifying Binaries with Overlapping Instructions. 22nd ACM Conference on Computer and Communications Security, Oct 2015, Denver, United States. ⟨10.1145/2810103.2813627⟩. ⟨hal-01257908⟩

Share

Metrics

Record views

381

Files downloads

1368