Abstract
Today’s software is growing in size and complexity. Consequently analysing closed-source binaries becomes time-consuming and labour-intensive. In the common use case, the analyst is only interested in specific functions of the given application. Identifying the relevant functions is difficult since no related meta information is given. In this paper we present a framework which speeds up the reverse-engineering process using interactive function identification. We use the benefits of Dynamic Binary Instrumentation as base to collect the executed function calls. We support the analyst in filtering the relevant functions for specific functionality. Our approach is divided into three process steps. Real-time data gathering, user defined information processing/filtering and graphical representation. We show a significant speed up in the reverse engineering process using our framework. We reduce the number of executed functions to be viewed by the analyst more than 90 % and due to visual components we help the analyst pre-selecting the functions on an abstract level.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Hex-Rays IDA. https://hex-rays.com/products/ida/index.shtml. Accessed 10 Aug 2015
Intel’s pin framework. https://software.intel.com/en-us/articles/pin-a-dynamic-binary-instrumentation-tool. Accessed 10 Aug 2015
Sqlite. http://sqlite.org. Accessed 10 Aug 2015
Boost spsc_queue. http://www.boost.org/doc/libs/1_55_0/doc/html/boost/lockfree/spsc_queue.html. Accessed 10 Aug 2015
Openssl. https://www.openssl.org/. Accessed 10 Aug 2015
Gpg. https://www.gnupg.org. Accessed 10 Aug 2015
Putty. http://www.chiark.greenend.org.uk/~sgtatham/putty/. Accessed 10 Aug 2015
Bruening, D., Zhao, Q.: Practical memory checking with Dr. Memory. In: Proceedings of the 9th Annual IEEE/ACM International Symposium on Code Generation and Optimization, CGO 2011, pp. 213–223. IEEE Computer Society, Washington, DC, USA (2011)
Bruening, D., Zhao, Q., Amarasinghe, S.: Transparent dynamic instrumentation. In: Proceedings of the 8th ACM SIGPLAN/SIGOPS Conference on Virtual Execution Environments, VEE 2012, pp. 133–144. ACM, New York (2012)
Buck, B., Hollingsworth, J.K.: An API for runtime code patching. Int. J. High Perform. Comput. Appl. 14(4), 317–329 (2000)
Caballero, J., Poosankam, P., Kreibich, C., Dispatcher, S.D.: Enabling active botnet infiltration using automatic protocol reverse-engineering. In: Proceedings of the 16th ACM Conference on Computer and Communications Security, pp. 621–634 (2009)
Conti, G., Dean, E., Sinda, M., Sangster, B.: Visual reverse engineering of binary and data files. In: Goodall, J.R., Conti, G., Ma, K.-L. (eds.) VizSec 2008. LNCS, vol. 5210, pp. 1–17. Springer, Heidelberg (2008)
Corporation, I.: Pin tools. https://software.intel.com/sites/landingpage/pintool/docs/62732/Pin/html/. Accessed 10 Aug 2015
Developers, V.: Valgrind user manual. http://valgrind.org/docs/manual/manual.html. Accessed 10 Aug 2015
Diehl, S.: Software Visualization: Visualizing the Structure, Behaviour, and Evolution of Software. Springer Science and Business Media, Heidelberg (2007)
DynamoRIO. Dynamorio API. http://dynamorio.org/docs/. Accessed 10 Aug 2015
Eick, S.G., Steffen, J.L., Sumner Jr., E.E.: Seesoft-a tool for visualizing line oriented software statistics. IEEE Trans. Softw. Eng. 18(11), 957–968 (1992)
Gröbert, F., Willems, C., Holz, T.: Automated identification of cryptographic primitives in binary programs. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 41–60. Springer, Heidelberg (2011)
Jacomy, M., Heymann, S., Venturini, T., Bastian, M.: ForceAtlas2, a continuous graph layout algorithm for handy network visualization. Medialab Center Res. 560 (2011)
Kienle, H.M., Müller, H.A.: Rigian environment for software reverse engineering, exploration, visualization, and redocumentation. Sci. Comput. Program. 75(4), 247–263 (2010)
Luk, C.-K., Cohn, R., Muth, R., Patil, H., Klauser, A., Lowney, G., Wallace, S., Reddi, V.J., Hazelwood, K.: Pin: building customized program analysis tools with dynamic instrumentation. In: Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2005, pp. 190–200. ACM, New York (2005)
Nethercote, N., Seward, J.: Valgrind: a framework for heavyweight dynamic binary instrumentation (2007)
Quist, D., Liebrock, L.M., et al.: Visualizing compiled executables for malware analysis. In: 6th International Workshop on Visualization for Cyber Security, VizSec 2009, pp. 27–32. IEEE (2009)
Reniers, D., Voinea, L., Ersoy, O., Telea, A.: The solid* toolset for software visual analytics of program structure and metrics comprehension: from research prototype to product. Sci. Comput. Program. 79, 224–240 (2014)
Trinius, P., Holz, T., Göbel, J., Freiling, F.C.: Visual analysis of malware behavior using treemaps and thread graphs. In: 6th International Workshop on Visualization for Cyber Security, VizSec 2009, pp. 33–38. IEEE (2009)
Wang, R., Wang, X., Zhang, K., Li, Z.: Towards automatic reverse engineering of software security configurations. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, CCS 2008, pp. 245–256. ACM, New York (2008)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Kilic, F., Laner, H., Eckert, C. (2016). Interactive Function Identification Decreasing the Effort of Reverse Engineering. In: Lin, D., Wang, X., Yung, M. (eds) Information Security and Cryptology. Inscrypt 2015. Lecture Notes in Computer Science(), vol 9589. Springer, Cham. https://doi.org/10.1007/978-3-319-38898-4_27
Download citation
DOI: https://doi.org/10.1007/978-3-319-38898-4_27
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-38897-7
Online ISBN: 978-3-319-38898-4
eBook Packages: Computer ScienceComputer Science (R0)