REcompile:用于静态分析二进制文件的反编译框架

2013 8th International Conference on Malicious and Unwanted Software: "The Americas" (MALWARE) Pub Date : 2013-10-01 DOI:10.1109/MALWARE.2013.6703690

Khaled Yakdan, Sebastian Eschweiler, E. Gerhards-Padilla

{"title":"REcompile:用于静态分析二进制文件的反编译框架","authors":"Khaled Yakdan, Sebastian Eschweiler, E. Gerhards-Padilla","doi":"10.1109/MALWARE.2013.6703690","DOIUrl":null,"url":null,"abstract":"Reverse engineering of binary code is an essential step for malware analysis. However, it is a tedious and time-consuming task. Decompilation facilitates this process by transforming machine code into a high-level representation that is more concise and easier to understand. This paper describes REcompile, an efficient and extensible decompilation framework. REcompile uses the static single assignment form (SSA) as its intermediate representation and performs three main classes of analysis. Data flow analysis removes machine-specific details from code and transforms it into a concise high-level form. Type analysis finds variable types based on how those variables are used in code. Control flow analysis identifies high-level control structures such as conditionals, loops, and switch statements. These steps enable REcompile to produce well-readable decompiled code. The overall evaluation, using real programs and malware samples, shows that REcompile achieves a comparable and in many cases better performance than state-of-the-art decompilers.","PeriodicalId":325281,"journal":{"name":"2013 8th International Conference on Malicious and Unwanted Software: \"The Americas\" (MALWARE)","volume":"17 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2013-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"9","resultStr":"{\"title\":\"REcompile: A decompilation framework for static analysis of binaries\",\"authors\":\"Khaled Yakdan, Sebastian Eschweiler, E. Gerhards-Padilla\",\"doi\":\"10.1109/MALWARE.2013.6703690\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Reverse engineering of binary code is an essential step for malware analysis. However, it is a tedious and time-consuming task. Decompilation facilitates this process by transforming machine code into a high-level representation that is more concise and easier to understand. This paper describes REcompile, an efficient and extensible decompilation framework. REcompile uses the static single assignment form (SSA) as its intermediate representation and performs three main classes of analysis. Data flow analysis removes machine-specific details from code and transforms it into a concise high-level form. Type analysis finds variable types based on how those variables are used in code. Control flow analysis identifies high-level control structures such as conditionals, loops, and switch statements. These steps enable REcompile to produce well-readable decompiled code. The overall evaluation, using real programs and malware samples, shows that REcompile achieves a comparable and in many cases better performance than state-of-the-art decompilers.\",\"PeriodicalId\":325281,\"journal\":{\"name\":\"2013 8th International Conference on Malicious and Unwanted Software: \\\"The Americas\\\" (MALWARE)\",\"volume\":\"17 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2013-10-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"9\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2013 8th International Conference on Malicious and Unwanted Software: \\\"The Americas\\\" (MALWARE)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/MALWARE.2013.6703690\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2013 8th International Conference on Malicious and Unwanted Software: \"The Americas\" (MALWARE)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/MALWARE.2013.6703690","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 9

摘要

二进制代码的逆向工程是恶意软件分析的重要步骤。然而，这是一项乏味而耗时的任务。反编译通过将机器代码转换为更简洁、更容易理解的高级表示来促进这一过程。REcompile是一个高效、可扩展的反编译框架。REcompile使用静态单赋值形式(SSA)作为中间表示，并执行三种主要的分析类型。数据流分析从代码中删除特定于机器的详细信息，并将其转换为简洁的高级形式。类型分析根据在代码中如何使用这些变量来查找变量类型。控制流分析识别高级控制结构，如条件、循环和switch语句。这些步骤使REcompile能够生成易读的反编译代码。使用真实程序和恶意软件样本进行的总体评估表明，REcompile实现了与最先进的反编译器相当的性能，在许多情况下甚至更好。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

REcompile: A decompilation framework for static analysis of binaries

Reverse engineering of binary code is an essential step for malware analysis. However, it is a tedious and time-consuming task. Decompilation facilitates this process by transforming machine code into a high-level representation that is more concise and easier to understand. This paper describes REcompile, an efficient and extensible decompilation framework. REcompile uses the static single assignment form (SSA) as its intermediate representation and performs three main classes of analysis. Data flow analysis removes machine-specific details from code and transforms it into a concise high-level form. Type analysis finds variable types based on how those variables are used in code. Control flow analysis identifies high-level control structures such as conditionals, loops, and switch statements. These steps enable REcompile to produce well-readable decompiled code. The overall evaluation, using real programs and malware samples, shows that REcompile achieves a comparable and in many cases better performance than state-of-the-art decompilers.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

2013 8th International Conference on Malicious and Unwanted Software: "The Americas" (MALWARE)

自引率

0.00%

发文量