Extracting Sent Message Formats from Executables Using Backward Slicing

Network communication protocol reverse-engineering is important for malicious software analysis. Security analysts need to rewrite messages sent and received by malicious software according to the protocol to control the malware's malicious behaviors. To enable such rewriting, we need detailed information about the sent message by the malware program in target host in the network dialog. However, recent works on sent message extraction have limitations and the source code of malware program is usually not obtained. This paper proposes an analysis method to extract sent message format by processing executables. This paper obtains the reliable execution trace of malware program firstly, then gets the syntax structure of the send buffer of sent function combining the binary code analysis technique with the binary dynamic backward program slicing technique. Finally we exploit the dynamic taint analysis to extract the semantic information of different syntax fields. The experimental results show that our analysis framework can effectively analyze format information of malware's sent message.

[1]  David W. Binkley,et al.  Program slicing , 2008, 2008 Frontiers of Software Maintenance.

[2]  Rajib Mall,et al.  An efficient method for computing dynamic program slices , 2002, Inf. Process. Lett..

[3]  Dawn Xiaodong Song,et al.  Dispatcher: enabling active botnet infiltration using automatic protocol reverse-engineering , 2009, CCS.

[4]  Karl J. Ottenstein,et al.  The program dependence graph in a software development environment , 1984, SDE 1.

[5]  Zhenkai Liang,et al.  BitBlaze: A New Approach to Computer Security via Binary Analysis , 2008, ICISS.

[6]  Karl J. Ottenstein,et al.  The program dependence graph in a software development environment , 1984 .

[7]  Thomas W. Reps,et al.  Extracting Output Formats from Executables , 2006, 2006 13th Working Conference on Reverse Engineering.

[8]  Joseph Robert Horgan,et al.  Dynamic program slicing , 1990, PLDI '90.

[9]  David W. Binkley,et al.  Interprocedural slicing using dependence graphs , 1990, TOPL.

[10]  Zhenkai Liang,et al.  Polyglot: automatic extraction of protocol message format using dynamic binary analysis , 2007, CCS '07.

[11]  Shan Huang,et al.  Structured Dynamic Program Slicing , 2011, 2011 International Conference on Computer and Management (CAMAN).

[12]  Helen J. Wang,et al.  Discoverer: Automatic Protocol Reverse Engineering from Network Traces , 2007, USENIX Security Symposium.

[13]  Mark David Weiser,et al.  Program slices: formal, psychological, and practical investigations of an automatic program abstraction method , 1979 .

[14]  Stefan Savage,et al.  Unexpected means of protocol inference , 2006, IMC '06.

[15]  Shan Huang,et al.  Attack diagnosis on binary executables using dynamic program slicing , 2012, Other Conferences.