ReconBin: Reconstructing Binary File from Execution for Software Analysis

机译：重新签署：从执行中重建二进制文件进行软件分析

获取原文

页面导航

摘要
著录项
相似文献
相关主题

摘要

Static analysis is one of the most popular approaches of software analysis. As more and more software protects their code by transformation or encryption, then releases them at runtime dynamically, it is hard to statically analyze these protected executables because of the failure of disassembling. In this paper, we propose a novel and general technique to reconstruct binary files for static analysis by monitoring the executions of protected executables. Our approach can identify and extract the dynamically released code at runtime, and at the same time record the control transfers information, and then reconstruct a binary file based on the original executable. The whole process does not depend on any prior knowledge on the protection methods. Experiments on our prototype ReconBin show that our approach can properly reconstruct the executables protected by SMC and packers, and the reconstructed binary files can be successfully analyzed by static analysis tools such as IDA Pro. We show that it also can be used to analyze the code dynamically generated by virtual machines, emulators, and buffer overflow attacks, which also dynamically inject attack code into stack and direct execution flow to it.

机译：静态分析是软件分析最受欢迎的方法之一。随着越来越多的软件通过转换或加密保护其代码，然后动态地在运行时释放它们，由于拆卸失败，难以静态分析这些受保护的可执行文件。在本文中，我们提出了一种通过监控受保护的可执行文件的执行来重建静态分析的新颖和一般技术。我们的方法可以在运行时识别和提取动态发布的代码，同时记录控制传输信息，然后基于原始可执行文件重建二进制文件。整个过程不依赖于对保护方法的任何先前知识。我们的原型重建实验表明，我们的方法可以正确地重建由SMC和包装器保护的可执行文件，并且可以通过静态分析工具（如IDA Pro）成功分析重建的二进制文件。我们还表明它也可用于分析虚拟机，仿真器和缓冲区溢出攻击动态生成的代码，该漏洞也将攻击代码动态注入堆栈并直接执行流到它。

著录项

来源
《IEEE international conference on secure integration and reliability improvement》|2009年||共8页
会议地点
作者
Lingyun YING; Purui SU; Dengguo FENG; Xianggen WANG; Yi YANG; Yu LIU;
展开▼
作者单位

展开▼
会议组织
原文格式 PDF
正文语种
中图分类计算机软件;
关键词
execution monitoring; software security analysis; malware analysis; binary analysis;

机译：执行监控;软件安全性分析;恶意软件分析;二进制分析;

相似文献

外文文献
中文文献
专利

1. Separation of an executable-file for new software execution style - and its application for Java runtime environment [J] . Satoshi Numata, Hirotaka Uoi 電子情報通信学会技術研究報告. ソフトウェアサイエンス. Software Science . 2002,第246期

机译：用于新软件执行样式的可执行文件的分离-及其在Java运行时环境中的应用
2. Separation of an executable-file for new software execution style - and its application for Java runtime environment [J] . Satoshi Numata, Hirotaka Uoi 電子情報通信学会技術研究報告. ソフトウェアサイエンス. Software Science . 2002,第246期

机译：分离新软件执行样式的可执行文件 - 及其对Java运行时环境的应用程序
3. Efficient file fuzz testing using automated analysis of binary file format [J] . Kim H.C., Choi Y.H., Lee D.H. Journal of systems architecture . 2011,第3期

机译：使用二进制文件格式的自动分析进行有效的文件模糊测试
4. ReconBin: Reconstructing Binary File from Execution for Software Analysis [C] . Lingyun YING, Purui SU, Dengguo FENG, 2009 third IEEE international conference on secure integration and reliability improvement . 2009

机译：ReconBin：从执行中重建二进制文件以进行软件分析
5. Automated Analysis for Correct and Efficient Execution of Software Middleboxes [D] . Zhang, Kaiyuan. 2021

机译：对软件中间盒的正确和高效执行自动分析
6. Inferences of biogeographical histories within subfamily Hyacinthoideae using S-DIVA and Bayesian binary MCMC analysis implemented in RASP (Reconstruct Ancestral State in Phylogenies) [O] . Syed Shujait Ali, Yan Yu, Martin Pfosser, 2012

机译：使用S-DIVA和在RASP中实施贝叶斯二元MCMC分析（在系统发育中重建祖先状态）推断葫芦科亚科的生物地理历史
7. Figure 6: (A) Tree resulted the standard MP analysis of the 98-loci supermatrix of the Great Apes (Hominidae, Primates, Mammalia) constructed using the modified summary of Lehtonen et al. (2011) (see “Materials and Methods” for the details) and a posteriori rooted relatively Papio (length = 12,092, CI = 0.7877, RI = 0.5597); 34,022 characters are constant, and the number of the parsimony-informative characters is equal to 4,311. MP BS values are provided below branches. The only characters with non-ambiguous value of the outgroup (Papio) have been saved within concatenated alignment; (B) the average consensus tree of the score 0.00084 resulted the analysis of the Hennigian forest of the 5,507 trees derived from the binary representation of the 98-loci supermatrix of the Great Apes (Hominidae, Primates, Mammalia) (see “Materials and Methods” for the details); Papio is assumed to be the best all-plesiomorphic group. “Additional…” FORESTER’s output tree file (see “Materials and Methods” for the details) selected for future analyses; (C) the average consensus tree of the score 0.00090 resulted the analysis of the Hennigian forest of the 5,339 trees derived from the modified binary representation of the 98-loci supermatrix of the Great Apes (Hominidae, Primates, Mammalia) (see 6.I. and “Materials and Methods” for the details), but with all 168 trees, which contain the clade (Homo plus Pan) have been removed from the input forest. “Additional…” FORESTER’s output tree file (see “Materials and Methods”) selected for future analyses. [O] . -1

机译：图6：（A）树导致的标准MP分析的98-基因座的类人猿（人科，灵长类动物，哺乳动物），使用莱赫托宁等人的修改的摘要构成的超级矩阵。（2011）（参见细节“材料和方法”）以及相对植根狒狒后验概率（长度= 12092，CI = 0.7877，RI = 0.5597）; 34022个字符是恒定的，并且简约信息的字符数等于4311。下面提供分支MP BS值。与外类群（狒狒）的非模糊值的唯一的字符已被保存的级联对准内; （B）的得分0.00084的平均一致树导致从巨猿（原始人类，灵长类动物，哺乳动物）的98座超级矩阵的二进制表示获得的5507棵的Hennigian森林的分析（见“材料和方法”为细节）;狒狒被认为是最好的全祖征群。 “其他...” FORESTER的输出树文件（请参阅详细信息“材料和方法”），用于进一步的分析; （C）的分数0.00090的平均一致树导致从98个位点的类人猿（人科，灵长类动物，哺乳动物）的超级矩阵（见6.I的改性二进制表示导出的5339种树木的Hennigian森林的分析以及“材料和方法”的详细说明），但所有168棵，其中包含的分支（智人加PAN）已经从输入林中删除。 “其他...” FORESTER的输出树文件（参见“材料和方法”），用于进一步的分析。

ReconBin: Reconstructing Binary File from Execution for Software Analysis

摘要

著录项

相似文献

相关主题

期刊订阅