Skip to main content
SpringerLink
Log in

Reconstructing a Packed DLL Binary for Static Analysis

  • Conference paper
Information Security Practice and Experience (ISPEC 2009)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 5451))

Abstract

DLLs (Dynamic Link Libraries) are usually protected by various anti-reversing engineering techniques. One technique commonly used is code packing as packed DLLs hinder static code analysis such as disassembly. In this paper, we propose a technique to reconstruct a binary file for static analysis by loading a DLL and triggering and monitoring the execution of the entry-point function and exported functions of packed DLLs. By monitoring all memory operations and control transfer instructions, our approach extracts the original hidden code which is written into the memory at run-time and constructs a binary based on the original DLL, the codes extracted and the records of control transfers. To demonstrate its effectiveness, we implemented our prototype ReconPD based on QEMU. The experiments show that ReconPD is able to analyze the packed DLLs, yet practical in terms of performance. Moreover, the reconstructed binary files can be successfully analyzed by static analysis tools, such as IDA Pro.

Supported by National Natural Science Foundation of China (No.60703076) and National High Technology Research and Development Program of China (No.2006AA01Z412 and No.2007AA01Z451)

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Balakrishnan, G., Gruian, R., Reps, T., Teitelbaum, T.: CodeSurfer/x86—A platform for analyzing x86 executables. In: Bodik, R. (ed.) CC 2005. LNCS, vol. 3443, pp. 250–254. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  2. Christodorescu, M., Jha, S.: Static Analysis of Executables to Detect Malicious Patterns. In: Usenix Security Symposium (2003)

    Google Scholar 

  3. Christodorescu, M., Jha, S., Seshia, S., Song, D., Bryant, R.: Semantics-aware Malware Detection. In: IEEE Symposium on Security and Privacy (2005)

    Google Scholar 

  4. PEiD, http://www.secretashell.com/codomain/peid/

  5. Themida, http://www.oreans.com/

  6. Yoda Protector, http://sourceforge.net/projects/yodap/

  7. van Oorschot, P.C.: Revisiting software protection. In: Boyd, C., Mao, W. (eds.) ISC 2003. LNCS, vol. 2851, pp. 1–13. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  8. Wang, P.: Tamper Resistance for Software Protection, Master Thesis, Information and Communications University, Korea (2005)

    Google Scholar 

  9. Kanzaki, Y., Monden, A., Nakamura, M., Matsumoto, K.: Exploiting self-modification mechanism for program protection. In: Proc. of the 27th Annual International Computer Software and Applications Conference, pp. 170–181 (2003)

    Google Scholar 

  10. Giffin, J.T., Christodorescu, M., Kruger, L.: Strengthening Software Self-Checksumming via Self-Modifying Code. In: 21st Annual Computer Security Applications Conference, pp. 23–32 (2005)

    Google Scholar 

  11. Albert, D.J., Morse, S.P.: Combating Software Piracy by Encryption and Key Management. Computer (1984)

    Google Scholar 

  12. Lee, J.-W., Kim, H., Yoon, H.: Tamper resistant software by integrity-based encryption. In: Liew, K.-M., Shen, H., See, S., Cai, W. (eds.) PDCAT 2004. LNCS, vol. 3320, pp. 608–612. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  13. Huang, Y.L., Ho, F.S., Tsai, H.Y., Kao, H.M.: A control flow obfuscation method to discourage malicious tampering of software codes. In: ASIACCS 2006, computer and communications security, New York, NY, USA, p. 362 (2006)

    Google Scholar 

  14. Linn, C., Debray, S.: Obfuscation of executable code to improve resistance to static disassembly. In: CCS 2003, New York, NY, USA, pp. 290–299 (2003)

    Google Scholar 

  15. Wroblewski, G.: General method of program code obfuscation. In: Proc. Int. Conf. on Software Engineering Research and Practice (SERP) (2002)

    Google Scholar 

  16. Christodorescu, M., Kinder, J., Jha, S., Katzenbeisser, S., Veith, H.: Malware normalization. Technical Report 1539, University of Wisconsin, USA (2005)

    Google Scholar 

  17. DataRescue SA. IDA Pro disassembler: Multi-processor, Windows hosted disassembler and debugger, http://www.datarescue.com/idabase/

  18. Royal, P., Halpin, M., Dagon, D., Edmonds, R., Lee, W.: PolyUnpack: Automating the hidden-code extraction of unpack-executing malware. In: ACSAC 2006, USA, pp. 289–300 (2006)

    Google Scholar 

  19. Nanda, S., Li, W., Lam, L., Chiueh, T.: BIRD: Binary interpretation using runtime disassembly. In: CGO 2006, USA, pp. 358–370 (2006)

    Google Scholar 

  20. Kang, M.G., Poosankam, P., Yin, H.: Renovo: A Hidden Code Extractor for Packed Executables. In: The 5th ACM Workshop on Recurring Malcode (WORM) (2007)

    Google Scholar 

  21. Moser, A., Kruegel, C., Kirda, E.: Exploring Multiple Execution Paths for Malware Analysis. In: SP 2007, pp. 231–245 (2007)

    Google Scholar 

  22. Bellard, F.: QEMU, a Fast and Portable Dynamic Translator. In: FREENIX Track: 2005 USENIX Annual Technical Conference (2005)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. University of Science and Technology of China, China

    Xianggen Wang

  2. State Key Laboratory of Information Security, Institute of Software, Chinese Academy of Sciences, China

    Xianggen Wang, Dengguo Feng & Purui Su

Authors
  1. Xianggen Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Dengguo Feng
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Purui Su
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Institute for Infocomm Research (I<Superscript>2</Superscript>R) 1, Fusionopolis Way #19-01 Connexis, 138632, South Tower, Singapore

    Feng Bao

  2. School of Telecommunications Engineering, Xidian University, No.2 South Taibai Road, 710071, Xi’an, Shaanxi, P. R. China

    Hui Li

  3. School of Computer Science, University of Birmingham Homepage: http://www.cs.bham.ac.uk/~gzw/, B15 2TT, Birmingham, UK

    Guilin Wang

Rights and permissions

Reprints and permissions

Copyright information

© 2009 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Wang, X., Feng, D., Su, P. (2009). Reconstructing a Packed DLL Binary for Static Analysis. In: Bao, F., Li, H., Wang, G. (eds) Information Security Practice and Experience. ISPEC 2009. Lecture Notes in Computer Science, vol 5451. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-00843-6_7

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-00843-6_7

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-00842-9

  • Online ISBN: 978-3-642-00843-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation