Codescanner: Detecting (Hidden) x86/x64 code in arbitrary files

Author

Zwanger, Viviane ; Gerhards-Padilla, Elmar ; Meier, Markus

Author_Institution

Inst. of Comput. Sci. 4, Univ. of Bonn, Bonn, Germany

fYear

2014

fDate

28-30 Oct. 2014

Firstpage

118

Lastpage

127

Abstract

Disassembly is indispensable for the proper analysis of malware. However, a common problem concerning the x86/x64 architecture is that disassemblers produce partially incorrect results. This is used by malware authors who nowadays routinely generate binaries with anti-disassembly measures. In this paper, we derive general constraints on x86 code which are not based on disassembly but on byte level. Based on these constraints we develop a set of classifiers able to locate code in any kind of files. Operating on byte level, our approach is independent of assembly semantics. Our evaluation shows that we are able to precisely locate code and provide anti-disassembly resistance independent of the operating system or compiler. Our tool can be used to detect the code sections of malware, improve code coverage for disassemblers, detect hidden code in files and in memory, or identify malware with anti-disassembly techniques.

Keywords

invasive software; pattern classification; program assemblers; Codescanner; antidisassembly measures; arbitrary files; assembly semantics; byte level; classifiers; code coverage; disassemblers; malware; x86-x64 code detection; Assembly; Cryptography; Entropy; Forensics; Malware; Semantics; Software;

fLanguage

English

Publisher

ieee

Conference_Titel

Malicious and Unwanted Software: The Americas (MALWARE), 2014 9th International Conference on

Conference_Location

Fajardo, PR

Print_ISBN

978-1-4799-7328-6

Type

conf

DOI

10.1109/MALWARE.2014.6999403

Filename

6999403