Reconstructing a Packed DLL Binary for Static Analysis

Authors:
Xianggen Wang;Dengguo Feng;Purui Su
Affiliations:
University of Science and Technology of China, and State Key Laboratory of Information Security, Institute of Software, Chinese Academy of Sciences,;State Key Laboratory of Information Security, Institute of Software, Chinese Academy of Sciences,;State Key Laboratory of Information Security, Institute of Software, Chinese Academy of Sciences,
Venue:
ISPEC '09 Proceedings of the 5th International Conference on Information Security Practice and Experience
Year:
2009

Citing 14
Cited 0

Obfuscation of executable code to improve resistance to static disassembly

Proceedings of the 10th ACM conference on Computer and communications security
Exploiting Self-Modification Mechanism for Program Protection

COMPSAC '03 Proceedings of the 27th Annual International Conference on Computer Software and Applications
Semantics-Aware Malware Detection

SP '05 Proceedings of the 2005 IEEE Symposium on Security and Privacy
Strengthening Software Self-Checksumming via Self-Modifying Code

ACSAC '05 Proceedings of the 21st Annual Computer Security Applications Conference
BIRD: Binary Interpretation using Runtime Disassembly

Proceedings of the International Symposium on Code Generation and Optimization
A control flow obfuscation method to discourage malicious tampering of software codes

ASIACCS '06 Proceedings of the 2006 ACM Symposium on Information, computer and communications security
PolyUnpack: Automating the Hidden-Code Extraction of Unpack-Executing Malware

ACSAC '06 Proceedings of the 22nd Annual Computer Security Applications Conference
QEMU, a fast and portable dynamic translator

ATEC '05 Proceedings of the annual conference on USENIX Annual Technical Conference
Static analysis of executables to detect malicious patterns

SSYM'03 Proceedings of the 12th conference on USENIX Security Symposium - Volume 12
Exploring Multiple Execution Paths for Malware Analysis

SP '07 Proceedings of the 2007 IEEE Symposium on Security and Privacy
Renovo: a hidden code extractor for packed executables

Proceedings of the 2007 ACM workshop on Recurring malcode
Combatting Software Piracy by Encryption and Key Management

Computer
Tamper resistant software by integrity-based encryption

PDCAT'04 Proceedings of the 5th international conference on Parallel and Distributed Computing: applications and Technologies
CodeSurfer/x86—A platform for analyzing x86 executables

CC'05 Proceedings of the 14th international conference on Compiler Construction

Quantified Score

Hi-index	0.00

Visualization

Abstract

DLLs (Dynamic Link Libraries) are usually protected by various anti-reversing engineering techniques. One technique commonly used is code packing as packed DLLs hinder static code analysis such as disassembly. In this paper, we propose a technique to reconstruct a binary file for static analysis by loading a DLL and triggering and monitoring the execution of the entry-point function and exported functions of packed DLLs. By monitoring all memory operations and control transfer instructions, our approach extracts the original hidden code which is written into the memory at run-time and constructs a binary based on the original DLL, the codes extracted and the records of control transfers. To demonstrate its effectiveness, we implemented our prototype ReconPD based on QEMU. The experiments show that ReconPD is able to analyze the packed DLLs, yet practical in terms of performance. Moreover, the reconstructed binary files can be successfully analyzed by static analysis tools, such as IDA Pro.