Analyzing Memory Accesses in Obfuscated x86 Executables

Michael Venable, Mohamed R. Chouchane, Md Enamul Karim and Arun Lakhotia

View Related Documents

Journal Article
Semi-automatic binary protection tampering
Yoann Guillot and Alexandre Gazet
Journal in Computer Virology, 2009, Volume 5, Number 2, Pages 119-149
- Download PDF (5.1 MB)
Book Chapter
Subroutines and Modules
Computer Communications and Networks, 2005, The Quintessential PIC® Microcontroller, II, Pages 147-183
- Download PDF (259.4 KB)
Book Chapter
Subroutines and Modules
Sid Katzen
Computer Communications and Networks, 2010, The Essential PIC18® Microcontroller, 2, Pages 159-204
- Download PDF (1.0 MB)
- View HTML
Book Chapter
Return-Address Prediction in Speculative Multithreaded Environments
Mohamed Zahran and Manoj Franklin
Lecture Notes in Computer Science, 2002, Volume 2552, High Performance Computing — HiPC 2002, Pages 609-619
- Download PDF (156.3 KB)
Book Chapter
Differentiating Code from Data in x86 Binaries
Richard Wartell, Yan Zhou, Kevin W. Hamlen, Murat Kantarcioglu and Bhavani Thuraisingham
Lecture Notes in Computer Science, 2011, Volume 6913, Machine Learning and Knowledge Discovery in Databases, Pages 522-536
- Download PDF (231.3 KB)
Book Chapter
Register Allocation
Torben Ægidius Mogensen
Undergraduate Topics in Computer Science, 2011, Introduction to Compiler Design, Pages 159-174
- Download PDF (222.8 KB)
- View HTML
Book Chapter
Low-Cost Microarchitectural Techniques for Enhancing the Prediction of Return Addresses on High-Performance Trace Cache Processors
Yunhe Shi, Emre Özer and David Gregg
Lecture Notes in Computer Science, 2006, Volume 4263, Computer and Information Sciences – ISCIS 2006, Pages 248-257
- Download PDF (312.7 KB)
Book Chapter
Efficient Detection of the Return-Oriented Programming Malicious Code
Ping Chen, Xiao Xing, Hao Han, Bing Mao and Li Xie
Lecture Notes in Computer Science, 2011, Volume 6503, Information Systems Security, Pages 140-155
- Download PDF (330.5 KB)
Journal Article
Mobile Agent Protection with Self-Modifying Code
Liang Shan and Sabu Emmanuel
Journal of Signal Processing Systems, 2011, Volume 65, Number 1, Pages 105-116
- Download PDF (587.0 KB)
- View HTML
Book Chapter
Static Disassembly and Code Analysis
Giovanni Vigna
Advances in Information Security, 1, Volume 27, Malware Detection, Part II, Pages 19-41
- Download PDF (1.3 MB)

Abstract

Programmers obfuscate their code to defeat manual or automated analysis. Obfuscations are often used to hide malicious behavior. In particular, malicious programs employ obfuscations of stack-based instructions, such as call and return instructions, to prevent an analyzer from determining which system functions it calls. Instead of using these instructions directly, a combination of other instructions, such as PUSH and POP, are used to achieve the same semantics. This paper presents an abstract interpretation based analysis to detect obfuscation of stack instructions. The approach combines Reps and Balakrishnan’s value set analysis (VSA) and Lakhotia and Kumar’s Abstract Stack Graph, to create an analyzer that can track stack manipulations where the stack pointer may be saved and restored in memory or registers. The analysis technique may be used to determine obfuscated calls made by a program, an important first step in detecting malicious behavior.

Fulltext Preview

Image of the first page of the fulltext document

Frequently asked questions General info on journals and books Send us your feedback Impressum Contact us

SpringerLink

Analyzing Memory Accesses in Obfuscated x86 Executables

View Related Documents

Abstract

Fulltext Preview