Recovering C++ Objects From Binaries Using Inter-Procedural Data-Flow Analysis

Authors:
Wesley Jin;Cory Cohen;Jeffrey Gennari;Charles Hines;Sagar Chaki;Arie Gurfinkel;Jeffrey Havrilla;Priya Narasimhan
Affiliations:
CMU;CERT;CERT;CERT;SEI;SEI;CERT;CMU
Venue:
Proceedings of ACM SIGPLAN on Program Protection and Reverse Engineering Workshop 2014
Year:
2014

Citing 10
Cited 0

Data flow analysis for `intractable' system software

SIGPLAN '86 Proceedings of the 1986 SIGPLAN symposium on Compiler construction
Interprocedural slicing using dependence graphs

PLDI '88 Proceedings of the ACM SIGPLAN 1988 conference on Programming Language design and Implementation
Aggregate structure identification and its application to program analysis

Proceedings of the 26th ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Symbolic execution and program testing

Communications of the ACM
Analysis of Virtual Method Invocation for Binary Translation

WCRE '02 Proceedings of the Ninth Working Conference on Reverse Engineering (WCRE'02)
Using Dynamic Information in the Interprocedural Static Slicing of Binary Executables

Software Quality Control
DIVINE: discovering variables in executables

VMCAI'07 Proceedings of the 8th international conference on Verification, model checking, and abstract interpretation
DDE: dynamic data structure excavation

Proceedings of the first ACM asia-pacific workshop on Workshop on systems
Reconstruction of Class Hierarchies for Decompilation of C++ Programs

CSMR '10 Proceedings of the 2010 14th European Conference on Software Maintenance and Reengineering
SmartDec: Approaching C++ Decompilation

WCRE '11 Proceedings of the 2011 18th Working Conference on Reverse Engineering

Quantified Score

Hi-index	0.00

Visualization

Abstract

Object-oriented programming complicates the already difficult task of reverse engineering software, and is being used increasingly by malware authors. Unlike traditional procedural-style code, reverse engineers must understand the complex interactions between object-oriented methods and the shared data structures with which they operate on, a tedious manual process. In this paper, we present a static approach that uses symbolic execution and inter-procedural data flow analysis to discover object instances, data members, and methods of a common class. The key idea behind our work is to track the propagation and usage of a unique object instance reference, called a this pointer. Our goal is to help malware reverse engineers to understand how classes are laid out and to identify their methods. We have implemented our approach in a tool called ObJDIGGER, which produced encouraging results when validated on real-world malware samples.