Advances in Information Security
DOI: 10.1007/978-0-387-44599-1_2
|View full text |Cite
|
Sign up to set email alerts
|

Static Disassembly and Code Analysis

Abstract: Summary. The classification of an unknown binary program as malicious or benign requires two steps. In the first step, the stream of bytes that constitutes the program has to be transformed (or disassembled) into the corresponding sequence of machine instructions. In the second step, based on this machine code representation, static or dynamic code analysis techniques can be applied to determine the properties and function of the program.Both the disassembly and code analysis steps can be foiled by techniques … Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
3
1
1

Citation Types

0
15
0
1

Publication Types

Select...
4
1

Relationship

0
5

Authors

Journals

citations
Cited by 13 publications
(16 citation statements)
references
References 11 publications
0
15
0
1
Order By: Relevance
“…Static parsing techniques can accurately identify 90% or more of the functions in compiler-generated binaries despite the lack of symbol information [43], but are much worse at analyzing arbitrarily obfuscated code [24,51], and cannot analyze the packed code that exists in most malicious binaries [9]. Thus, most malware analysis is dynamic and begins by obtaining a trace of the program's executed instructions through single-step execution [17], dynamic instrumentation [41], or the instrumentation capabilities of a whole-system emulator [32].…”
Section: Related Workmentioning
confidence: 99%
“…Static parsing techniques can accurately identify 90% or more of the functions in compiler-generated binaries despite the lack of symbol information [43], but are much worse at analyzing arbitrarily obfuscated code [24,51], and cannot analyze the packed code that exists in most malicious binaries [9]. Thus, most malware analysis is dynamic and begins by obtaining a trace of the program's executed instructions through single-step execution [17], dynamic instrumentation [41], or the instrumentation capabilities of a whole-system emulator [32].…”
Section: Related Workmentioning
confidence: 99%
“…Most work addressing disassembly relies on the use of heuristics to identify likely code regions [12,2,19]. Vigna [19] describes how to defeat anti-disassembly obfuscations by starting disassembly from every possible program location.…”
Section: Related Workmentioning
confidence: 99%
“…Vigna [19] describes how to defeat anti-disassembly obfuscations by starting disassembly from every possible program location. In our framework, this amounts to performing purely over-approximate control flow reconstruction with again a trivial analysis that knows only one single state.…”
Section: Related Workmentioning
confidence: 99%
“…Each basic block has a single entry and single exit point. Since the basic blocks are generated dynamically from a trace, the result of the basic block detection algorithm may differ from a static detection algorithm [19]. The basic blocks are generated from the dynamic trace, thus non-executed code will not be considered by the detection algorithm, because it is not incorporated in the trace.…”
Section: Fine-grained Dynamic Binary Instrumentationmentioning
confidence: 99%