The number of viruses and malware has grown dramatically over
the last few years, and this number is expected to grow inall
likelihood. Due to the increasing amount of malicious software
circulated over the Internet, it is almost impossible toreverse
engineering all binary executable software line by line as it is
very challenging and time consuming. In order toprovide immediate
security solutions and reduce the amount of time on understanding
malicious portion consisted inviruses, Trojans and other general
security flow, a comprehensive design of visual debugger is
introduced in this paper. Theresearch involves with the reverse
engineering of binary executable by transforming a stream of bytes
that constitutes theprogram into a corresponding sequence of
machine instructions. Both static and dynamic debugger will be
developed andinteracted with a graph visualization system to
visualize the parse instructions of a targeted executable file in
executionflow graph. With the intention of improving the
effectiveness, graph visualization is developed to accelerate the
analysisprogress. We reconstruct the targeted programs control flow
and broke it into smaller regions. Fragment of
maliciousinstructions can be easily determined via the control flow
graph information.
The approach of identifying malicious programs instruction in
fraction code greatly simplified and speeded the analysis
process.
The analysis tool allows tracing process to be done either
through forward or backward approach thereby providing
comprehensive binary analysis tools.
The analysis tool able to pin-point the original entry point
(OEP) of a packed malicious executable program quickly.
The framework is based on the integration of both static and
dynamic binary translation.
The ease of loading debugging symbol files brings benefits to
the analyzer in identifying the constants offset function in a
higher-level disassembly automatically.
The Replay component which provides backtrack ability enables
efficient transitions between execution points in a trace in both
forward and backward direction.
Abstract1
Results3Methodology2
Discussion5
Results4
Conclusion6
Fig. 3 : Remote HTTP Connection and Response
Fig. 4 : RPC Connection
Fig. 1 : Interaction of Debugger with Mini-Graph Fig. 2 :
Original Entry Point (OEP )Identification of UPX packer
Contact details :Chan Lee Yee and Mahamod IsmailE-mail :
[email protected]
[email protected]
Dept. of Electrical, Electronics & System EngineeringFaculty
of Engineering & Built Environment Universiti Kebangsaan
Malaysia43600 UKM Bangi Selangor MALAYSIA
(Project Grant: UKM-OUP-2012-182)
Slide Number 1
