Reversing Compiled Executables for Malware Analysis via Visualization
| Autor: | Lorie M. Liebrock, Daniel Quist |
|---|---|
| Rok vydání: | 2011 |
| Předmět: | |
| Zdroj: | Information Visualization. 10:117-126 |
| ISSN: | 1473-8724 1473-8716 |
| DOI: | 10.1057/ivs.2010.11 |
| Popis: | Reverse engineering-compiled executables is a task with a steep learning curve. It is complicated by the task of translating assembly into a series of abstractions that represent the overall flow of a program. Most of the steps involve finding interesting areas of an executable and determining their general functionality. This article presents a method using dynamic analysis of program execution to visually represent the general flow of a program. We use the Ether hypervisor framework to covertly monitor a program. The data are processed and presented for the reverse engineer. The VERA (Visualization of Executables for Reversing and Analysis) system specifically accelerates the location of the original entry point and understanding of overall executable functionality. Using this method, the amount of time needed to extract key features of an executable is greatly reduced, improving productivity. Two malware samples are used to demonstrate the advantages of using the VERA system to reverse engineer malware. Further, these examples exemplify a reversing process enhanced through effective use of dynamic analysis tools. Preliminary user study indicates that the tool is useful for both new and experienced users. |
| Databáze: | OpenAIRE |
| Externí odkaz: |
|