论文信息 - Analyzing Memory Accesses in Obfuscated x86 Executables

Analyzing Memory Accesses in Obfuscated x86 Executables

Programmers obfuscate their code to defeat manual or automated analysis. Obfuscations are often used to hide malicious behavior. In particular, malicious programs employ obfuscations of stack-based instructions, such as call and return instructions, to prevent an analyzer from determining which system functions it calls. Instead of using these instructions directly, a combination of other instructions, such as PUSH and POP, are used to achieve the same semantics. This paper presents an abstract interpretation based analysis to detect obfuscation of stack instructions. The approach combines Reps and Balakrishnan's value set analysis (VSA) and Lakhotia and Kumar's Abstract Stack Graph, to create an analyzer that can track stack manipulations where the stack pointer may be saved and restored in memory or registers. The analysis technique may be used to determine obfuscated calls made by a program, an important first step in detecting malicious behavior.

Arun Lakhotia | Mohamed R. Chouchane | Md. Enamul Karim | Michael Venable

[1] Saumya K. Debray,et al. Obfuscation of executable code to improve resistance to static disassembly , 2003, CCS '03.

[2] Christian S. Collberg,et al. A Taxonomy of Obfuscating Transformations , 1997 .

[3] Patrick Cousot,et al. Static determination of dynamic properties of programs , 1976 .

[4] Thomas W. Reps,et al. Analyzing Memory Accesses in x86 Executables , 2004, CC.

[5] P. Tonella,et al. Adding distribution to existing applications by means of aspect oriented programming , 2004 .

[6] Arun Lakhotia,et al. CHALLENGES IN GETTING ‘FORMAL’ WITH VIRUSES , 2003 .

[7] Shinichiro Yamamoto,et al. A CASE tool platform using an XML representation of Java source code , 2004, Source Code Analysis and Manipulation, Fourth IEEE International Workshop on.

[8] Peter Szor,et al. HUNTING FOR METAMORPHIC , 2001 .

[9] Arun Lakhotia,et al. Abstract Stack Graph to Detect Obfuscated Calls in Binaries , 2004 .

[10] Understanding Heuristics : Symantec ’ s Bloodhound Technology , 1997 .

[11] Mourad Debbabi,et al. Detection of Malicious Code in Cots Software: A Short Survey , 1999 .