A New Disassembly Approach for Binary Code Using Dynamic Multiple-Path Exploration and Static Disassembly

We present a new approach for disassembling executables with self-modifying code. Self-modifying code is very common in malware. Conventional static or dynamic approaches cannot handle self-modifying code very well. We combine static and dynamic analysis to fight against self-modifying code with the multiple-path exploration technique. The evaluation results indicate that our approach works well in disassembling executables with self-modifying code with high precision and code coverage compared with the state-of-art disassembler.

[1]  Christopher Krügel,et al.  Static Disassembly of Obfuscated Binaries , 2004, USENIX Security Symposium.

[2]  Saumya K. Debray,et al.  Obfuscation of executable code to improve resistance to static disassembly , 2003, CCS '03.

[3]  Tzi-cker Chiueh,et al.  BIRD: binary interpretation using runtime disassembly , 2006, International Symposium on Code Generation and Optimization (CGO'06).

[4]  Zhendong Su,et al.  Constructing Precise Control Flow Graphs from Binaries , 2010 .

[5]  Harish Patil,et al.  Pin: building customized program analysis tools with dynamic instrumentation , 2005, PLDI '05.

[6]  Gregory R. Andrews,et al.  Disassembly of executable code revisited , 2002, Ninth Working Conference on Reverse Engineering, 2002. Proceedings..