Jump to content
Tuts 4 You

Obfuscation Code Localization Based on CFG Generation of Malware

Teddy Rogers

About This File

This paper presents a tool BE-PUM (Binary Emulator for PUshdown Model generation), which generates a precise control flow graph (CFG), under presence of typical obfuscation techniques of malware, e.g., indirect jump, self-modification, overlapping instructions, and structured exception handler (SEH), which cover packers. Experiments are performed on 2000 real-world malware examples taken from VX Heaven and compare the results of a popular commercial disassembler IDA Pro, a state-of-the-art tool JakStab, and BE-PUM. It shows that BE-PUM correctly traces CFGs, whereas IDA Pro and JakStab fail. By manual inspection on 300 malware examples, we also observe that the starts of these failures exactly locate the entries of obfuscation code.

User Feedback

Recommended Comments

There are no comments to display.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...