For Libraries For Publication Open Access Downloads About Us Contact Us
Paper Titles
The Improved Algorithm about Binocular Vision of Flexible Structure in On-Orbit Modal Identification
p.1766
An Algorithm of Uncertain Reasoning Considering Subjective Factors
p.1770
A Fuzzy Clustering Algorithm of Web Customers Based on Attributes Reduction
p.1775
The Application of Graph Model in the Cultural Archives
p.1779
Deobfuscate Non-Returning Calls and Call-Stack Tampering in Instruction Traces
p.1782
Constructing Attractors via the Improved Eugenics Genetic Algorithm
p.1786
Comparison Results between Jacobi and USSOR Iterative Methods
p.1790
Convergence Results of the Improving Modified Gauss-Seidel (IMGS) Iterative Method for a Symmetric Positive Definite Matrix
p.1794
A Fast Algorithm for Computing the Determinants of the Heptadiagonal Matrices
p.1798

Deobfuscate Non-Returning Calls and Call-Stack Tampering in Instruction Traces

Article Preview

Abstract:

Instruction traces are essential for dynamic analysis in reverse engineering. Code in instruction traces is often obfuscated to hinder analysts from understanding and analyzing in malware and binaries that protected by packers. Non-returning calls and call-stack tampering are two typical kinds of such obfuscation. We propose a deobfuscation approach to fight against these two kinds of obfuscated code. We first apply static analysis on instruction traces to identify obfuscated code. Then we transform obfuscated code into semantically equivalent instructions to make the code be easy to understand. Evaluations results on some packed binaries indicate that our approach works well in deobfuscate instruction traces with non-returning calls and call-stack tampering in high precision.

You might also be interested in these eBooks
Materials Science, Computer and Information Technology View Preview

Info:

Periodical:

Advanced Materials Research (Volumes 989-994)

Pages:

1782-1785

DOI:

https://doi.org/10.4028/www.scientific.net/AMR.989-994.1782

Citation:

Cite this paper

Online since:

July 2014

Authors:

Jing Qiu*, Xiao Hong Su, Pei Jun Ma

Keywords:

Binary Analysis, Deobfuscation, Instruction Trace, Reverse Engineering

Export:

RIS, BibTeX

Price:

Permissions CCC:

Request Permissions

Permissions PLS:

Request Permissions

Сopyright:

© 2014 Trans Tech Publications Ltd. All Rights Reserved

Share:

Citation:

* - Corresponding Author

References

[1] C. Kruegel, W.K. Robertson and F. Valeur, in: Static Disassembly of Obfuscated Binaries. USENIX security Symposium. 13 (2004), pp.18-18.

Google Scholar

[2] B. Schwarz, S. Debray and G. Andrews: Disassembly of executable code revisited. Reverse Engineering, Proceedings. Ninth Working Conference on. IEEE, (2002), pp.45-54.

DOI: 10.1109/wcre.2002.1173063

Google Scholar

[3] S. Nanda, W. Li and L.C. Lam, in: Binary interpretation using runtime disassembly. Proceedings of the International Symposium on Code Generation and Optimization. IEEE Computer Society, (2006), pp.358-370.

DOI: 10.1109/cgo.2006.6

Google Scholar

[4] C, Linn and S. Debray, in: Obfuscation of executable code to improve resistance to static disassembly. Proceedings of the 10th ACM conference on Computer and communications security. ACM, ( 2003), pp.290-299.

DOI: 10.1145/948109.948149

Google Scholar

[5] Dyninst. Dyninst: An application program interface (api) for runtime code generation[J]. Online, http: /www. dyninst. org.

Google Scholar

[6] Luk, Chi-Keung. Pin: building customized program analysis tools with dynamic instrumentation. " ACM Sigplan Notices 40. 6 (2005), pp.190-200.

DOI: 10.1145/1064978.1065034

Google Scholar

© 2025 Trans Tech Publications Ltd. All rights are reserved, including those for text and data mining, AI training, and similar technologies. For open access content, terms of the Creative Commons licensing CC-BY are applied.
Scientific.Net is a registered trademark of Trans Tech Publications Ltd.