Skip to Main content Skip to Navigation
Conference papers

CoDisasm: Medium Scale Concatic Disassembly of Self-Modifying Binaries with Overlapping Instructions

Abstract : Fighting malware involves analyzing large numbers of suspicious binary files. In this context, disassembly is a crucial task in malware analysis and reverse engineering. It involves the recovery of assembly instructions from binary machine code. Correct disassembly of binaries is necessary to produce a higher level representation of the code and thus allow the analysis to develop high-level understanding of its behavior and purpose. Nonetheless, it can be problematic in the case of malicious code, as malware writers often employ techniques to thwart correct disassembly by standard tools. In this paper, we focus on the disassembly of x86 self-modifying binaries with overlapping instructions. Current state-of-the-art disassemblers fail to interpret these two common forms of obfuscation, causing an incorrect disassembly of large parts of the input. We introduce a novel disas-sembly method, called concatic disassembly, that combines CONCrete path execution with stATIC disassembly. We have developed a standalone disassembler called CoDisasm that implements this approach. Our approach substantially improves the success of disassembly when confronted with both self-modification and code overlap in analyzed bina-ries. To our knowledge, no other disassembler thwarts both of these obfuscations methods together.
Complete list of metadata

Cited literature [32 references]  Display  Hide  Download
Contributor : Guillaume Bonfante Connect in order to contact the contributor
Submitted on : Monday, January 18, 2016 - 2:00:06 PM
Last modification on : Saturday, October 16, 2021 - 11:26:05 AM
Long-term archiving on: : Friday, November 11, 2016 - 9:53:34 AM


Files produced by the author(s)




Guillaume Bonfante, Jose Fernandez, Jean-Yves Marion, Benjamin Rouxel, Fabrice Sabatier, et al.. CoDisasm: Medium Scale Concatic Disassembly of Self-Modifying Binaries with Overlapping Instructions. 22nd ACM Conference on Computer and Communications Security, Oct 2015, Denver, United States. ⟨10.1145/2810103.2813627⟩. ⟨hal-01257908⟩



Record views


Files downloads