Title: Poster: Identifying dynamic data structures in malware
Authors: Rupprecht, Thomas
Chen, Xi
White, David H.
Mühlberg, Tobias
Bos, Herbert
Lüttgen, Gerald
Issue Date: 28-Oct-2016
Publisher: ACM
Conference: ACM CCS edition:23 location:Vienna, Austria date:24-28 October 2016
Abstract: As the complexity of malware grows, so does the necessity of
employing program structuring mechanisms during development. While control flow structuring is often obfuscated, the
dynamic data structures employed by the program are typically untouched. We report on work in progress that exploits
this weakness to identify dynamic data structures present in
malware samples for the purposes of aiding reverse engineering and constructing malware signatures, which may be
employed for malware classification.

Using a prototype implementation, which combines the
type recovery tool Howard and the identification tool Data
Structure Investigator (DSI), we analyze data structures in
Carberp and AgoBot malware. Identifying their data structures illustrates a challenging problem. To tackle this, we
propose a new type recovery for binaries based on machine
learning, which uses Howard's types to guide the search and
DSI's memory abstraction for hypothesis evaluation.
Publication status: accepted
KU Leuven publication type: IC
Appears in Collections:Informatics Section

Files in This Item:
File Description Status SizeFormat
paper.pdfPoster paper. Accepted 151KbAdobe PDFView/Open


All items in Lirias are protected by copyright, with all rights reserved.