Poster: Identifying dynamic data structures in malware
Rupprecht, Thomas Chen, Xi White, David H. Mühlberg, Tobias Bos, Herbert Lüttgen, Gerald
ACM CCS edition:23 location:Vienna, Austria date:24-28 October 2016
As the complexity of malware grows, so does the necessity of
employing program structuring mechanisms during development. While control flow structuring is often obfuscated, the
dynamic data structures employed by the program are typically untouched. We report on work in progress that exploits
this weakness to identify dynamic data structures present in
malware samples for the purposes of aiding reverse engineering and constructing malware signatures, which may be
employed for malware classification.
Using a prototype implementation, which combines the
type recovery tool Howard and the identification tool Data
Structure Investigator (DSI), we analyze data structures in
Carberp and AgoBot malware. Identifying their data structures illustrates a challenging problem. To tackle this, we
propose a new type recovery for binaries based on machine
learning, which uses Howard's types to guide the search and
DSI's memory abstraction for hypothesis evaluation.