Recovering C++ Objects From Binaries Using Inter-Procedural Data-Flow Analysis

October 28, 2014 • Article

By

Wesley Jin, Cory Cohen, Jeff Gennari, Chuck Hines, Sagar Chaki, Arie Gurfinkel, Jeff Havrilla, and Priya Narasimhan (Carnegie Mellon University)

In this article, the authors present a static approach that uses symbolic execution and inter-procedural data flow analysis to discover object instances, data members, and methods of a common class.

Publisher

ACM, Inc.

Topic or Tag

Reverse Engineering For Malware Analysis

Abstract

Object-oriented programming complicates the already difficult task of reverse engineering software, and is being used increasingly by malware authors. Unlike traditional procedural-style code, reverse engineers must understand the complex interactions between object-oriented methods and the shared data structures with which they operate on, a tedious manual process.

In this paper, we present a static approach that uses symbolic execution and inter-procedural data flow analysis to discover object instances, data members, and methods of a common class. The key idea behind our work is to track the propagation and usage of a unique object instance reference, called a this pointer. Our goal is to help malware reverse engineers to understand how classes are laid out and to identify their methods. We have implemented our approach in a tool called ObJDIGGER, which produced encouraging results when validated on real-world malware samples.

Software Engineering Institute