Recovering C++ Objects From Binaries Using Inter-Procedural Data-Flow Analysis

Object-oriented programming complicates the already difficult task of reverse engineering software, and is being used increasingly by malware authors. Unlike traditional procedural-style code, reverse engineers must understand the complex interactions between object-oriented methods and the shared data structures with which they operate on, a tedious manual process. In this paper, we present a static approach that uses symbolic execution and inter-procedural data flow analysis to discover object instances, data members, and methods of a common class. The key idea behind our work is to track the propagation and usage of a unique object instance reference, called a this pointer. Our goal is to help malware reverse engineers to understand how classes are laid out and to identify their methods. We have implemented our approach in a tool called ObJDIGGER, which produced encouraging results when validated on real-world malware samples.

[1]  Egor Derevenetc,et al.  SmartDec: Approaching C++ Decompilation , 2011, 2011 18th Working Conference on Reverse Engineering.

[2]  Frank Tip,et al.  Aggregate structure identification and its application to program analysis , 1999, POPL '99.

[3]  James C. King,et al.  Symbolic execution and program testing , 1976, CACM.

[4]  Cristina Cifuentes,et al.  Analysis of virtual method invocation for binary translation , 2002, Ninth Working Conference on Reverse Engineering, 2002. Proceedings..

[5]  Thomas W. Reps,et al.  DIVINE: DIscovering Variables IN Executables , 2007, VMCAI.

[6]  Ken Kennedy,et al.  Iterative Data-flow Analysis , Revisited , 2003 .

[7]  Venkatesh Karthik Srinivasan,et al.  Software-Architecture Recovery from Machine Code ∗ , 2013 .

[8]  Jonathon T. Giffin,et al.  Static detection of C++ vtable escape vulnerabilities in binary code , 2012, NDSS.

[9]  Harold Johnson,et al.  Data flow analysis for `intractable' system software , 1986, SIGPLAN '86.

[10]  David W. Binkley,et al.  Interprocedural slicing using dependence graphs , 1990, TOPL.

[11]  David Brumley,et al.  TIE: Principled Reverse Engineering of Types in Binary Programs , 2011, NDSS.

[12]  Tibor Gyimóthy,et al.  Using Dynamic Information in the Interprocedural Static Slicing of Binary Executables , 2005, Software Quality Journal.

[13]  D. Quinlan,et al.  ROSE: Compiler Support for Object-Oriented Frameworks , 1999, Parallel Process. Lett..

[14]  Alexander Fokin,et al.  Reconstruction of Class Hierarchies for Decompilation of C++ Programs , 2010, 2010 14th European Conference on Software Maintenance and Reengineering.

[15]  Xiangyu Zhang,et al.  Automatic Reverse Engineering of Data Structures from Binary Execution , 2010, NDSS.

[16]  Herbert Bos,et al.  DDE: dynamic data structure excavation , 2010, APSys '10.