Adapting Call-string Approach for x86 Obfuscated Binaries

Davidson R. BoccardoArun LakhotiaMichael VenableAleardo Manacero Jr

Call-string technique, a classic technique for interprocedural analysis, cannot be applied to binaries that do not follow stack conventions used by high-level language compilers. Examples are programs that make obfuscated procedure calls using push and return instructions, which is a technique largely used to hide malicious code. In this paper it is shown that a technique equivalent to call-string, the abstract stack graph (ASG), may be used to identify such obfuscations. An ASG contains nodes representing statements that push some element on the stack. An edge in the graph represents the next instruction that pushes a value on the abstract stack along some control flow path. For a program that manipulates stack using only call and return instructions, its ASG is equivalent to its call-graph. Since the ASG represents stack operations by any instruction it becomes a suitable substitute for the call-graph for interprocedural analysis of obfuscated binaries.

Caso o link acima esteja inválido, faça uma busca pelo texto completo na Web: Buscar na Web

Biblioteca Digital Brasileira de Computação - Contato:
     Mantida por: