Abstract
Many modern software security techniques require transformation of executable binaries to add security features. Such transformation heavily depends on the correct and effecient disassembly. However, an increasing number of application binaries are packed before being distributed in the commercial world. Packed binaries are a special type of self-modifying code, which existing binary disassembly tools do not support very well, especially when automatic instrumentation is needed. This paper describes the design, implementation and evaluation of an efficient and automatic binary instrumentation tool for packed Win32/X86 binaries called Uncover. Uncover features two novel techniques: statically distinct packed binaries by entropy computation to minimize run-time disassembly overhead, and accurate tracking of binary unpacking process during runtime. These two techniques make it possible to disassemble Win32/X86 packed binaries as if they were never packed.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
IDAPro. IDA Pro Disassembler, http://www.datarescue.com/
OllyDbg. Oleh Yuschuk, http://www.ollydbg.de/
Peid, J., Qwerton, S., Xineohp, P., http://peid.has.it/
Lyda, R., Hamrock, J.: Using Entropy Analysis to Find Encrypted and Packed Malware. IEEE Security and Privacy 5(2), 40–45 (2007)
UPX. The ultimate packer for executables, http://upx.sourceforge.net/
ASPack. The advanced Win32 executable file compressor, http://www.aspack.com/
PECompact. PE packer, http://www.bitsum.com/pec2.asp
Bala, V., Duesterwald, E., Banerjia, S.: Dynamo: a transparent dynamic optimization system. ACM SIGPLAN Notices 35(5), 1–12 (2000)
Dyninst. An application program interface (api) for runtime code generation, http://www.dyninst.org/
Luk, C.-K., Cohn, R., Muth, R., Patil, H., Klauser, A., Lowney, G., Wallace, S., Reddi, V.J., Hazelwood, K.: Pin: building customized program analysis tools with dynamic instrumentation. In: PLDI 2005: Proceedings of the 2005 ACM SIGPLAN conference on Programming language design and implementation, pp. 190–200. ACM Press, New York (2005)
Sridhar, S., Shapiro, J.S., Bungale, P.P.: HDTrans: A Low-Overhead Dynamic Translator. In: Proc 2005 Workshop on Binary Instrumentation and Applications (2005)
Bellard, F.: QEMU, a Fast and Portable Dynamic Translator. In: Proc of USENIX 2005 Annual Technical Conference, FREENIX Track, pp. 41–46 (2005)
Martignoni, L., Christodorescu, M., Jha, S.: OmniUnpack: Fast, Generic, and Safe Unpacking of Malware. In: Proc. of 23 Annual Technical Computer Security Applications Conference (ACSAC 2007), pp. 431–441 (2007)
Nanda, S., Li, W., Lam, L.-C., Chiueh, T.: Bird: Binary interpretation using runtime disassembly. In: Conference of Code Generation and Optimization 2006, pp. 358–370 (2006)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Wu, Y., Chiueh, Tc., Zhao, C. (2009). Efficient and Automatic Instrumentation for Packed Binaries. In: Park, J.H., Chen, HH., Atiquzzaman, M., Lee, C., Kim, Th., Yeo, SS. (eds) Advances in Information Security and Assurance. ISA 2009. Lecture Notes in Computer Science, vol 5576. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-02617-1_32
Download citation
DOI: https://doi.org/10.1007/978-3-642-02617-1_32
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-02616-4
Online ISBN: 978-3-642-02617-1
eBook Packages: Computer ScienceComputer Science (R0)