Abstract
DLLs (Dynamic Link Libraries) are usually protected by various anti-reversing engineering techniques. One technique commonly used is code packing as packed DLLs hinder static code analysis such as disassembly. In this paper, we propose a technique to reconstruct a binary file for static analysis by loading a DLL and triggering and monitoring the execution of the entry-point function and exported functions of packed DLLs. By monitoring all memory operations and control transfer instructions, our approach extracts the original hidden code which is written into the memory at run-time and constructs a binary based on the original DLL, the codes extracted and the records of control transfers. To demonstrate its effectiveness, we implemented our prototype ReconPD based on QEMU. The experiments show that ReconPD is able to analyze the packed DLLs, yet practical in terms of performance. Moreover, the reconstructed binary files can be successfully analyzed by static analysis tools, such as IDA Pro.
Supported by National Natural Science Foundation of China (No.60703076) and National High Technology Research and Development Program of China (No.2006AA01Z412 and No.2007AA01Z451)
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Balakrishnan, G., Gruian, R., Reps, T., Teitelbaum, T.: CodeSurfer/x86—A platform for analyzing x86 executables. In: Bodik, R. (ed.) CC 2005. LNCS, vol. 3443, pp. 250–254. Springer, Heidelberg (2005)
Christodorescu, M., Jha, S.: Static Analysis of Executables to Detect Malicious Patterns. In: Usenix Security Symposium (2003)
Christodorescu, M., Jha, S., Seshia, S., Song, D., Bryant, R.: Semantics-aware Malware Detection. In: IEEE Symposium on Security and Privacy (2005)
Themida, http://www.oreans.com/
Yoda Protector, http://sourceforge.net/projects/yodap/
van Oorschot, P.C.: Revisiting software protection. In: Boyd, C., Mao, W. (eds.) ISC 2003. LNCS, vol. 2851, pp. 1–13. Springer, Heidelberg (2003)
Wang, P.: Tamper Resistance for Software Protection, Master Thesis, Information and Communications University, Korea (2005)
Kanzaki, Y., Monden, A., Nakamura, M., Matsumoto, K.: Exploiting self-modification mechanism for program protection. In: Proc. of the 27th Annual International Computer Software and Applications Conference, pp. 170–181 (2003)
Giffin, J.T., Christodorescu, M., Kruger, L.: Strengthening Software Self-Checksumming via Self-Modifying Code. In: 21st Annual Computer Security Applications Conference, pp. 23–32 (2005)
Albert, D.J., Morse, S.P.: Combating Software Piracy by Encryption and Key Management. Computer (1984)
Lee, J.-W., Kim, H., Yoon, H.: Tamper resistant software by integrity-based encryption. In: Liew, K.-M., Shen, H., See, S., Cai, W. (eds.) PDCAT 2004. LNCS, vol. 3320, pp. 608–612. Springer, Heidelberg (2004)
Huang, Y.L., Ho, F.S., Tsai, H.Y., Kao, H.M.: A control flow obfuscation method to discourage malicious tampering of software codes. In: ASIACCS 2006, computer and communications security, New York, NY, USA, p. 362 (2006)
Linn, C., Debray, S.: Obfuscation of executable code to improve resistance to static disassembly. In: CCS 2003, New York, NY, USA, pp. 290–299 (2003)
Wroblewski, G.: General method of program code obfuscation. In: Proc. Int. Conf. on Software Engineering Research and Practice (SERP) (2002)
Christodorescu, M., Kinder, J., Jha, S., Katzenbeisser, S., Veith, H.: Malware normalization. Technical Report 1539, University of Wisconsin, USA (2005)
DataRescue SA. IDA Pro disassembler: Multi-processor, Windows hosted disassembler and debugger, http://www.datarescue.com/idabase/
Royal, P., Halpin, M., Dagon, D., Edmonds, R., Lee, W.: PolyUnpack: Automating the hidden-code extraction of unpack-executing malware. In: ACSAC 2006, USA, pp. 289–300 (2006)
Nanda, S., Li, W., Lam, L., Chiueh, T.: BIRD: Binary interpretation using runtime disassembly. In: CGO 2006, USA, pp. 358–370 (2006)
Kang, M.G., Poosankam, P., Yin, H.: Renovo: A Hidden Code Extractor for Packed Executables. In: The 5th ACM Workshop on Recurring Malcode (WORM) (2007)
Moser, A., Kruegel, C., Kirda, E.: Exploring Multiple Execution Paths for Malware Analysis. In: SP 2007, pp. 231–245 (2007)
Bellard, F.: QEMU, a Fast and Portable Dynamic Translator. In: FREENIX Track: 2005 USENIX Annual Technical Conference (2005)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Wang, X., Feng, D., Su, P. (2009). Reconstructing a Packed DLL Binary for Static Analysis. In: Bao, F., Li, H., Wang, G. (eds) Information Security Practice and Experience. ISPEC 2009. Lecture Notes in Computer Science, vol 5451. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-00843-6_7
Download citation
DOI: https://doi.org/10.1007/978-3-642-00843-6_7
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-00842-9
Online ISBN: 978-3-642-00843-6
eBook Packages: Computer ScienceComputer Science (R0)