2009 | OriginalPaper | Buchkapitel
Reconstructing a Packed DLL Binary for Static Analysis
verfasst von : Xianggen Wang, Dengguo Feng, Purui Su
Erschienen in: Information Security Practice and Experience
Verlag: Springer Berlin Heidelberg
Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.
Wählen Sie Textabschnitte aus um mit Künstlicher Intelligenz passenden Patente zu finden. powered by
Markieren Sie Textabschnitte, um KI-gestützt weitere passende Inhalte zu finden. powered by
DLLs (Dynamic Link Libraries) are usually protected by various anti-reversing engineering techniques. One technique commonly used is code packing as packed DLLs hinder static code analysis such as disassembly. In this paper, we propose a technique to reconstruct a binary file for static analysis by loading a DLL and triggering and monitoring the execution of the entry-point function and exported functions of packed DLLs. By monitoring all memory operations and control transfer instructions, our approach extracts the original hidden code which is written into the memory at run-time and constructs a binary based on the original DLL, the codes extracted and the records of control transfers. To demonstrate its effectiveness, we implemented our prototype ReconPD based on QEMU. The experiments show that ReconPD is able to analyze the packed DLLs, yet practical in terms of performance. Moreover, the reconstructed binary files can be successfully analyzed by static analysis tools, such as IDA Pro.