Title :
Visualizing compiled executables for malware analysis
Author :
Quist, Daniel A. ; Liebrock, Lorie M.
Author_Institution :
Los Alamos Nat. Lab., New Mexico Tech, Socorro, NM, USA
Abstract :
Reverse engineering compiled executables is a task with a steep learning curve. It is complicated by the task of translating assembly into a series of abstractions that represent the overall flow of a program. Most of the steps involve finding interesting areas of an executable and determining their overall functionality. This paper presents a method using dynamic analysis of program execution to visually represent the overall flow of a program. We use the Ether hypervisor framework to covertly monitor a program. The data is processed and presented for the reverse engineer. Using this method the amount of time needed to extract key features of an executable is greatly reduced, improving productivity. A preliminary user study indicates that the tool is useful for both new and experienced users.
Keywords :
invasive software; program diagnostics; reverse engineering; Ether hypervisor framework; compiled executables; malware analysis; program execution; program flow representation; reverse engineering; Assembly; Data visualization; Electronic mail; Engineering management; Laboratories; Monitoring; Productivity; Project management; Reverse engineering; Virtual machine monitors; Dynamic Analysis; K.6.1 [Management of Computing and Information Systems]: Project and People Management-Life Cycle; K.7.m [The Computing Profession]: Miscellaneous-Ethics; Reverse Engineering; Visualization;
Conference_Titel :
Visualization for Cyber Security, 2009. VizSec 2009. 6th International Workshop on
Conference_Location :
Atlantic City, NJ
Print_ISBN :
978-1-4244-5413-6
DOI :
10.1109/VIZSEC.2009.5375539
