Combined (static and dynamic) analysis of binary code

This paper investigates the process of binary code analysis. To achieve typical goals (such as extracting algorithm and data formats, exploiting vulnerabilities, revealing backdoors and undocumented features) a security analyst needs to explore control and data flow, reconstruct functions and variables, identify input and output data. Traditionally for this purposes disassemblers and other static data flow analysis tools have been used. However, since developers have been taking steps to protect their programs from analysis (for example, code being unpacked or decrypted at runtime), static analysis may not yield results.

In such cases we propose to use dynamic analysis (analysis of execution traces of the program) to complement static. The problems that arise in the analysis of binary programs are discussed, and corresponding ways to automate solving them are suggested. The core of proposed method consists of whole system tracing and consecutive representation lifting: OS-aware events, process/thread identification, fully automated control and data flow reconstruction. The only manual step is searching for anchor instructions in the trace, e.g. I/O operations, which are used as input criteria for another automated step: precise algorithm extraction by trace slicing. The final step of the method constructs static test case code suitable for further analysis in tools such as IDA Pro.

 We implemented the proposed approach in an environment for dynamic analysis of binary code and evaluated it against a model example and two real-world examples: a program license manager and a malware program. Our results show that approach successfully explores algorithms and extracts them from whole system traces. The required efforts and amount of time are significantly reduced as compared with traditional disassembler and interactive debugger.

algorithm recovery, binary code, backdoors, instruction level tracing

1. Tool Interface Standards (TIS). Portable Executable Formats (PE), http://www.x86.org/intel.doc/tools.htm.

2. Tool Interface Standards (TIS). Executable and Linkable Format (ELF), http://www.x86.org/intel.doc/tools.htm

3. IDA Pro Disassembler, http://www.hex-rays.com/idapro/.

4. Fast Library Identification and Recognition Technology (FLIRT), http://www.idapro.ru/description/flirt/.

5. H. Yin, Z. Liang, D. Song. HookFinder: Identifying and Understanding Malware Hooking Behaviors. Proceeding of the 15th Annual Network and Distributed System Security Symposium (NDSS'08), Feb. 2008

6. V.A. Padaryan, M.A. Solov’ev, A.I. Kononov. Simulation of operational semantics of machine instructions. Programming and Computer Software, May 2011, Volume 37, Issue 3, pp 161-170, DOI 10.1134/S0361768811030030

7. LLVM Language Reference Manual http://llvm.org/docs/LangRef.html

8. AMD SimNow Simulator http://developer.amd.com/cpu/simnow/Pages/default.aspx

9. P. S. Magnusson, M. Christensson, J. Eskilson, D. Forsgren, G. Hallberg, J. Hogberg, F. Larsson, A. Moestedt, and B. Werner. Simics: A Full System Simulation Platform. IEEE Computer, 35(2):50–58, Feb. 2002. DOI 10.1109/2.982916

10. S. Debray, J. Patel. Reverse Engineering Self-Modifying Code: Unpacker Extraction. Proceedings of the 17th. IEEE Working Conference on Reverse Engineering, Oct. 2010, pp 131–140.

11. Wang C., Hill J., Knight J,. Davidson J. Software tamper resistance: obstructing static analysis of programs. Tech. Rep., N 12, Dep. of Comp. Sci., Univ. of Virginia, 2000.

12. Weiser M. Program slicing. Proceedings of the 5th International Conference on Software Engineering. IEEE Computer Society Press, 1981. pp. 439–449.

13. Korel B., Laski J. Dynamic program slicing. Information Processing Letters, Vol. 29, Issue 3. 1988. p. 155–163.

14. Tikhonov А.YU., Avetisyan A.I., Padaryan V.A., Metodika izvlecheniya algoritma iz binarnogo koda na osnove dinamicheskogo analiza [Methodology of exploring of an algorithm from binary code by dynamic analysis]. Problemy informatsionnoj bezopasnosti. Komp'yuternye sistemy. 2008, №3. pp. 66-71 (in Russian)

15. Padaryan V.A., Getman A.I., Solov’ev M.A. Programmnaya sreda dlya dinamicheskogo analiza binarnogo koda [Software environment for dynamic analysis of binary code]. Trudy ISP RAN [The Proceedings of ISP RAS], vol 16, 2009, pp. 51-72 (in Russian).

16. M. Venable, M.R. Chouchane, M.E. Karim, and A. Lakhotia. Analyzing memory accesses in obfuscated x86 executables. In DIMVA'05, pages 1-18, 2005. DOI 10.1007/11506881_1