代码扫描器:在任意文件中检测(隐藏)x86/x64代码

2014 9th International Conference on Malicious and Unwanted Software: The Americas (MALWARE) Pub Date : 2014-10-01 DOI:10.1109/MALWARE.2014.6999403

Viviane Zwanger, E. Gerhards-Padilla, M. Meier

{"title":"代码扫描器:在任意文件中检测(隐藏)x86/x64代码","authors":"Viviane Zwanger, E. Gerhards-Padilla, M. Meier","doi":"10.1109/MALWARE.2014.6999403","DOIUrl":null,"url":null,"abstract":"Disassembly is indispensable for the proper analysis of malware. However, a common problem concerning the x86/x64 architecture is that disassemblers produce partially incorrect results. This is used by malware authors who nowadays routinely generate binaries with anti-disassembly measures. In this paper, we derive general constraints on x86 code which are not based on disassembly but on byte level. Based on these constraints we develop a set of classifiers able to locate code in any kind of files. Operating on byte level, our approach is independent of assembly semantics. Our evaluation shows that we are able to precisely locate code and provide anti-disassembly resistance independent of the operating system or compiler. Our tool can be used to detect the code sections of malware, improve code coverage for disassemblers, detect hidden code in files and in memory, or identify malware with anti-disassembly techniques.","PeriodicalId":151942,"journal":{"name":"2014 9th International Conference on Malicious and Unwanted Software: The Americas (MALWARE)","volume":"171 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2014-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"8","resultStr":"{\"title\":\"Codescanner: Detecting (Hidden) x86/x64 code in arbitrary files\",\"authors\":\"Viviane Zwanger, E. Gerhards-Padilla, M. Meier\",\"doi\":\"10.1109/MALWARE.2014.6999403\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Disassembly is indispensable for the proper analysis of malware. However, a common problem concerning the x86/x64 architecture is that disassemblers produce partially incorrect results. This is used by malware authors who nowadays routinely generate binaries with anti-disassembly measures. In this paper, we derive general constraints on x86 code which are not based on disassembly but on byte level. Based on these constraints we develop a set of classifiers able to locate code in any kind of files. Operating on byte level, our approach is independent of assembly semantics. Our evaluation shows that we are able to precisely locate code and provide anti-disassembly resistance independent of the operating system or compiler. Our tool can be used to detect the code sections of malware, improve code coverage for disassemblers, detect hidden code in files and in memory, or identify malware with anti-disassembly techniques.\",\"PeriodicalId\":151942,\"journal\":{\"name\":\"2014 9th International Conference on Malicious and Unwanted Software: The Americas (MALWARE)\",\"volume\":\"171 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2014-10-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"8\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2014 9th International Conference on Malicious and Unwanted Software: The Americas (MALWARE)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/MALWARE.2014.6999403\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2014 9th International Conference on Malicious and Unwanted Software: The Americas (MALWARE)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/MALWARE.2014.6999403","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 8

摘要

反汇编对于正确分析恶意软件是必不可少的。然而，关于x86/x64体系结构的一个常见问题是反汇编程序产生部分不正确的结果。这被恶意软件作者使用，他们现在经常生成具有反反汇编措施的二进制文件。在本文中，我们推导了x86代码的一般约束，这些约束不是基于反汇编，而是基于字节级。基于这些约束，我们开发了一组能够定位任何类型文件中的代码的分类器。在字节级操作，我们的方法独立于汇编语义。我们的评估表明，我们能够精确地定位代码，并提供独立于操作系统或编译器的抗反汇编性。我们的工具可以用来检测恶意软件的代码部分，提高反汇编器的代码覆盖率，检测文件和内存中的隐藏代码，或者用反汇编技术识别恶意软件。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

Codescanner: Detecting (Hidden) x86/x64 code in arbitrary files

Disassembly is indispensable for the proper analysis of malware. However, a common problem concerning the x86/x64 architecture is that disassemblers produce partially incorrect results. This is used by malware authors who nowadays routinely generate binaries with anti-disassembly measures. In this paper, we derive general constraints on x86 code which are not based on disassembly but on byte level. Based on these constraints we develop a set of classifiers able to locate code in any kind of files. Operating on byte level, our approach is independent of assembly semantics. Our evaluation shows that we are able to precisely locate code and provide anti-disassembly resistance independent of the operating system or compiler. Our tool can be used to detect the code sections of malware, improve code coverage for disassemblers, detect hidden code in files and in memory, or identify malware with anti-disassembly techniques.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

2014 9th International Conference on Malicious and Unwanted Software: The Americas (MALWARE)

自引率

0.00%

发文量