使用过程间数据流分析从二进制文件中恢复c++对象

PPREW'14 Pub Date : 2014-01-22 DOI:10.1145/2556464.2556465

Wesley Jin, Cory F. Cohen, Jeffrey Gennari, C. Hines, S. Chaki, A. Gurfinkel, Jeffrey Havrilla, P. Narasimhan

{"title":"使用过程间数据流分析从二进制文件中恢复c++对象","authors":"Wesley Jin, Cory F. Cohen, Jeffrey Gennari, C. Hines, S. Chaki, A. Gurfinkel, Jeffrey Havrilla, P. Narasimhan","doi":"10.1145/2556464.2556465","DOIUrl":null,"url":null,"abstract":"Object-oriented programming complicates the already difficult task of reverse engineering software, and is being used increasingly by malware authors. Unlike traditional procedural-style code, reverse engineers must understand the complex interactions between object-oriented methods and the shared data structures with which they operate on, a tedious manual process.\n In this paper, we present a static approach that uses symbolic execution and inter-procedural data flow analysis to discover object instances, data members, and methods of a common class. The key idea behind our work is to track the propagation and usage of a unique object instance reference, called a this pointer. Our goal is to help malware reverse engineers to understand how classes are laid out and to identify their methods. We have implemented our approach in a tool called ObJDIGGER, which produced encouraging results when validated on real-world malware samples.","PeriodicalId":326045,"journal":{"name":"PPREW'14","volume":"47 9","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2014-01-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"37","resultStr":"{\"title\":\"Recovering C++ Objects From Binaries Using Inter-Procedural Data-Flow Analysis\",\"authors\":\"Wesley Jin, Cory F. Cohen, Jeffrey Gennari, C. Hines, S. Chaki, A. Gurfinkel, Jeffrey Havrilla, P. Narasimhan\",\"doi\":\"10.1145/2556464.2556465\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Object-oriented programming complicates the already difficult task of reverse engineering software, and is being used increasingly by malware authors. Unlike traditional procedural-style code, reverse engineers must understand the complex interactions between object-oriented methods and the shared data structures with which they operate on, a tedious manual process.\\n In this paper, we present a static approach that uses symbolic execution and inter-procedural data flow analysis to discover object instances, data members, and methods of a common class. The key idea behind our work is to track the propagation and usage of a unique object instance reference, called a this pointer. Our goal is to help malware reverse engineers to understand how classes are laid out and to identify their methods. We have implemented our approach in a tool called ObJDIGGER, which produced encouraging results when validated on real-world malware samples.\",\"PeriodicalId\":326045,\"journal\":{\"name\":\"PPREW'14\",\"volume\":\"47 9\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2014-01-22\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"37\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"PPREW'14\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1145/2556464.2556465\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"PPREW'14","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/2556464.2556465","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 37

摘要

面向对象编程使逆向工程软件本已困难的任务变得更加复杂，并且越来越多地被恶意软件作者所使用。与传统的过程式代码不同，逆向工程师必须理解面向对象方法和他们所操作的共享数据结构之间的复杂交互，这是一个乏味的手工过程。在本文中，我们提出了一种静态方法，该方法使用符号执行和过程间数据流分析来发现一个公共类的对象实例、数据成员和方法。我们工作背后的关键思想是跟踪唯一对象实例引用(称为this指针)的传播和使用。我们的目标是帮助恶意软件逆向工程师了解类是如何布局的，并识别它们的方法。我们已经在一个名为ObJDIGGER的工具中实现了我们的方法，当在真实的恶意软件样本上验证时，它产生了令人鼓舞的结果。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文

微信好友朋友圈 QQ好友复制链接

本刊更多论文

Recovering C++ Objects From Binaries Using Inter-Procedural Data-Flow Analysis

Object-oriented programming complicates the already difficult task of reverse engineering software, and is being used increasingly by malware authors. Unlike traditional procedural-style code, reverse engineers must understand the complex interactions between object-oriented methods and the shared data structures with which they operate on, a tedious manual process. In this paper, we present a static approach that uses symbolic execution and inter-procedural data flow analysis to discover object instances, data members, and methods of a common class. The key idea behind our work is to track the propagation and usage of a unique object instance reference, called a this pointer. Our goal is to help malware reverse engineers to understand how classes are laid out and to identify their methods. We have implemented our approach in a tool called ObJDIGGER, which produced encouraging results when validated on real-world malware samples.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

PPREW'14

自引率

0.00%

发文量

期刊最新文献

Recovering C++ Objects From Binaries Using Inter-Procedural Data-Flow Analysis The GDSL toolkit: Generating Frontends for the Analysis of Machine Code TDVMP: Improved Virtual Machine-Based Software Protection with Time Diversity DroidLegacy: Automated Familial Classification of Android Malware Analyzing program dependencies for malware detection