String analysis for x86 binaries
PASTE '05 Proceedings of the 6th ACM SIGPLAN-SIGSOFT workshop on Program analysis for software tools and engineering
AWE: improving software analysis through modular integration of static and dynamic analyses
PASTE '07 Proceedings of the 7th ACM SIGPLAN-SIGSOFT workshop on Program analysis for software tools and engineering
Source Code Analysis: A Road Map
FOSE '07 2007 Future of Software Engineering
A static API birthmark for Windows binary executables
Journal of Systems and Software
Context-sensitive analysis of obfuscated x86 executables
Proceedings of the 2010 ACM SIGPLAN workshop on Partial evaluation and program manipulation
Malicious shellcode detection with virtual memory snapshots
INFOCOM'10 Proceedings of the 29th conference on Information communications
Context-sensitive analysis without calling-context
Higher-Order and Symbolic Computation
Analyzing memory accesses in obfuscated x86 executables
DIMVA'05 Proceedings of the Second international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Obfuscated malware detection using API call dependency
Proceedings of the First International Conference on Security of Internet of Things
Hi-index | 0.00 |
Information about calls to the operating system (or kernel libraries) made by a binary executable may be used to determine whether the binary is malicious. Being aware of this approach, malicious programmers hide this information by making such calls without using the call instruction. For instance, the 'call addr' instruction may be replaced by two push instructions and a return instruction, the first push pushes the address of the instruction after the return instruction, and the second push pushes the address addr. The code may be further obfuscated by spreading the three instructions and by splitting each instruction into multiple instructions. This paper presents a method to statically detect obfuscated calls in binary code. The notion of abstract stack is introduced to associate each element in the stack to the instruction that pushes the element. An abstract stack graph is a concise representation of all abstract stacks at every point in the program. An abstract stack graph, created by abstract interpretation of the binary executables, may be used to detect obfuscated calls and other stack related obfuscations.