Abstracting stack to detect obfuscated calls in binaries

Information about calls to the operating system (or kernel libraries) made by a binary executable may be used to determine whether the binary is malicious. Being aware of this approach, malicious programmers hide this information by making such calls without using the call instruction. For instance, the `call addr' instruction may be replaced by two push instructions and a return instruction, the first push pushes the address of the instruction after the return instruction, and the second push pushes the address addr. The code may be further obfuscated by spreading the three instructions and by splitting each instruction into multiple instructions. This paper presents a method to statically detect obfuscated calls in binary code. The notion of abstract stack is introduced to associate each element in the stack to the instruction that pushes the element. An abstract stack graph is a concise representation of all abstract stacks at every point in the program. An abstract stack graph, created by abstract interpretation of the binary executables, may be used to detect obfuscated calls and other stack related obfuscations

[1]  Flemming Nielson,et al.  Abstract interpretation: a semantics-based tool for program analysis , 1995, LICS 1995.

[2]  Arun Lakhotia,et al.  CHALLENGES IN GETTING ‘FORMAL’ WITH VIRUSES , 2003 .

[3]  Peter Szor,et al.  HUNTING FOR METAMORPHIC , 2001 .

[4]  Somesh Jha,et al.  Static Analysis of Executables to Detect Malicious Patterns , 2003, USENIX Security Symposium.

[5]  Gregory Wroblewski,et al.  General Method of Program Code Obfuscation , 2002 .

[6]  Christian S. Collberg,et al.  A Taxonomy of Obfuscating Transformations , 1997 .

[7]  Christopher Krügel,et al.  Static Disassembly of Obfuscated Binaries , 2004, USENIX Security Symposium.

[8]  Understanding Heuristics : Symantec ’ s Bloodhound Technology , 1997 .

[9]  Cristina Cifuentes,et al.  Decompilation of binary programs , 1995, Softw. Pract. Exp..

[10]  Linda M. Wills,et al.  An experimentation framework for evaluating disassembly and decompilation tools for C++ and java , 2003, 10th Working Conference on Reverse Engineering, 2003. WCRE 2003. Proceedings..

[11]  Thomas W. Reps,et al.  Analyzing Memory Accesses in x86 Executables , 2004, CC.

[12]  Saumya K. Debray,et al.  Obfuscation of executable code to improve resistance to static disassembly , 2003, CCS '03.

[13]  Amit Sahai,et al.  On the (im)possibility of obfuscating programs , 2001, JACM.

[14]  Gregory R. Andrews,et al.  Disassembly of executable code revisited , 2002, Ninth Working Conference on Reverse Engineering, 2002. Proceedings..

[15]  Christian S. Collberg,et al.  Watermarking, Tamper-Proofing, and Obfuscation-Tools for Software Protection , 2002, IEEE Trans. Software Eng..