Extracting Sent Message Formats from Executables Using Backward Slicing

Network communication protocol reverse-engineering is important for malicious software analysis. Security analysts need to rewrite messages sent and received by malicious software according to the protocol to control the malware´s malicious behaviors. To enable such rewriting, we need detailed information about the sent message by the malware program in target host in the network dialog. However, recent works on sent message extraction have limitations and the source code of malware program is usually not obtained. This paper proposes an analysis method to extract sent message format by processing executables. This paper obtains the reliable execution trace of malware program firstly, then gets the syntax structure of the send buffer of sent function combining the binary code analysis technique with the binary dynamic backward program slicing technique. Finally we exploit the dynamic taint analysis to extract the semantic information of different syntax fields. The experimental results show that our analysis framework can effectively analyze format information of malware´s sent message.