Analyzing Memory Accesses in Obfuscated x86 Executables
نویسندگان
چکیده
Programmers obfuscate their code to defeat manual or automated analysis. Obfuscations are often used to hide malicious behavior. In particular, malicious programs employ obfuscations of stack-based instructions, such as call and return instructions, to prevent an analyzer from determining which system functions it calls. Instead of using these instructions directly, a combination of other instructions, such as PUSH and POP, are used to achieve the same semantics. This paper presents an abstract interpretation based analysis to detect obfuscation of stack instructions. The approach combines Reps and Balakrishnan’s value set analysis (VSA) and Lakhotia and Kumar’s Abstract Stack Graph, to create an analyzer that can track stack manipulations where the stack pointer may be saved and restored in memory or registers. The analysis technique may be used to determine obfuscated calls made by a program, an important first step in detecting malicious behavior.
منابع مشابه
Analyzing Memory Accesses in x86 Executables
This paper concerns static-analysis algorithms for analyzing x86 executables. The aim of the work is to recover intermediate representations that are similar to those that can be created for a program written in a high-level language. Our goal is to perform this task for programs such as plugins, mobile code, worms, and virus-infected code. For such programs, symbol-table and debugging informat...
متن کاملCodeSurfer/x86-A Platform for Analyzing x86 Executables
CodeSurfer/x86 is a prototype system for analyzing x86 executables. It uses a static-analysis algorithm called value-set analysis (VSA) to recover intermediate representations that are similar to those that a compiler creates for a program written in a high-level language. A major challenge in building an analysis tool for executables is in providing useful information about operations involvin...
متن کاملRecovery of Variables and Heap Structure in x86 Executables
This paper addresses two problems that arise when analyzing executables: (1) recovering variable-like quantities in the absence of symbol-table and debugging information, and (2) recovering useful information about objects allocated in the heap.
متن کاملPROGRAMA DE PÓS-GRADUAÇÃO EM ENGENHARIA ELÉTRICA TESE DE DOUTORADO “Context-Sensitive Analysis of x86 Obfuscated Executables”
A code obfuscation intends to confuse a program in order to make it more difficult to understand while preserving its functionality. Programs may be obfuscated to protect intellectual property and to increase security of code. Programs may also be obfuscated to hide malicious behavior and to evade detection by anti-virus scanners. We introduce a method for context-sensitive analysis of binaries...
متن کامل