CoDisasm: Medium Scale Concatic Disassembly of Self-Modifying Binaries with Overlapping Instructions - Archive ouverte HAL Access content directly
Conference Papers Year :

CoDisasm: Medium Scale Concatic Disassembly of Self-Modifying Binaries with Overlapping Instructions

(1) , (2) , (1) , (1) , (1) , (1)
1
2

Abstract

Fighting malware involves analyzing large numbers of suspicious binary files. In this context, disassembly is a crucial task in malware analysis and reverse engineering. It involves the recovery of assembly instructions from binary machine code. Correct disassembly of binaries is necessary to produce a higher level representation of the code and thus allow the analysis to develop high-level understanding of its behavior and purpose. Nonetheless, it can be problematic in the case of malicious code, as malware writers often employ techniques to thwart correct disassembly by standard tools. In this paper, we focus on the disassembly of x86 self-modifying binaries with overlapping instructions. Current state-of-the-art disassemblers fail to interpret these two common forms of obfuscation, causing an incorrect disassembly of large parts of the input. We introduce a novel disas-sembly method, called concatic disassembly, that combines CONCrete path execution with stATIC disassembly. We have developed a standalone disassembler called CoDisasm that implements this approach. Our approach substantially improves the success of disassembly when confronted with both self-modification and code overlap in analyzed bina-ries. To our knowledge, no other disassembler thwarts both of these obfuscations methods together.
Fichier principal
Vignette du fichier
codisasm.pdf (453.24 Ko) Télécharger le fichier
Origin : Files produced by the author(s)
Loading...

Dates and versions

hal-01257908 , version 1 (18-01-2016)

Identifiers

Cite

Guillaume Bonfante, Jose Fernandez, Jean-Yves Marion, Benjamin Rouxel, Fabrice Sabatier, et al.. CoDisasm: Medium Scale Concatic Disassembly of Self-Modifying Binaries with Overlapping Instructions. 22nd ACM Conference on Computer and Communications Security, Oct 2015, Denver, United States. ⟨10.1145/2810103.2813627⟩. ⟨hal-01257908⟩
364 View
1458 Download

Altmetric

Share

Gmail Facebook Twitter LinkedIn More