Disassembly of Executable Code Revisited
نویسندگان
چکیده
Machine code disassembly routines form a fundamental component of software systems that statically analyze or modify executable programs. The task of disassembly is complicated by indirect jumps and the presence of nonexecutable data—jump tables, alignment bytes, etc.—in the instruction stream. Existing disassembly algorithms are not always able to cope successfully with executable files containing such features and fail silently—i.e., produce incorrect disassemblies without any indication that the results they are producing are incorrect. This can be a serious problem, since it can compromise the correctness of a binary rewriting tool. In this paper we examine two commonlyused disassembly algorithms and illustrate their shortcomings. We propose a hybrid approach that performs better than these algorithms in the sense that it is able to detect situations where the disassembly may be incorrect and limit the extent of such disassembly errors. Experimental results indicate that the algorithm is quite effective: the amount of code flagged as incurring disassembly errors is usually quite small.
منابع مشابه
Instruction Reordering for Code Compression
Runtime executable code compression is a method which uses standard data compression methods and binary machine code transformations to achieve smaller file size, yet maintaining the ability to execute the compressed file as a regular executable. With a disassembler, an almost perfect instructional and functional level disassembly can be generated. Using the structural information of the compil...
متن کاملStreamed analysis of network files to avoid false positives and to detect client-side attacks
Attacks exploiting client-side vulnerabilities are common nowadays. Those attacks are more difficult to be addressed due the complexity of protocols and file formats. Generic detection mechanisms, such as code disassembly, are often inefficient against client-side vulnerabilities due to size constraints in the gateway inspection and the embedded encoding specific to some file formats. This arti...
متن کاملEnhancing Software Tamper-Resistance via Stealthy Address Computations
A great deal of software is distributed in the form of executable code. The ability to reverse engineer such executables can create opportunities for theft of intellectual property via software piracy, as well as security breaches by allowing attackers to discover vulnerabilities in an application [9]. Techniques such as watermarking and fingerprinting have been developed to discourage piracy [...
متن کاملDifferentiating Code from Data in x86 Binaries
Robust, static disassembly is an important part of achieving high coverage for many binary code analyses, such as reverse engineering, malware analysis, reference monitor in-lining, and software fault isolation. However, one of the major difficulties current disassemblers face is differentiating code from data when they are interleaved. This paper presents a machine learning-based disassembly a...
متن کاملAnalysis of disassembled executable codes by abstract interpretation
The aim of this paper is to dene the abstract domain, abstract operator, abstract semantic, the environments and states of disassembled executable codes as well as a way to analysis the disassembled executable codes. Nowadays, static analysis on disassembled code going to grow. Reverse engineering and malware analysis use this technique. Thus, we tried to perform pluralization the requirements ...
متن کامل