Abstract
In this paper, we present CodeXt—a novel malware code extraction framework built upon selective symbolic execution (S2E). Upon real-time detection of the attack, CodeXt is able to automatically and accurately pinpoint the exact start and boundaries of the attack code even if it is mingled with random bytes in the memory dump. CodeXt has a generic way of handling self-modifying code and multiple layers of encoding, and it can automatically extract the complete hidden and transient code protected by multiple layers of sophisticated encoders without using any signature or pattern of the decoder. To the best of our knowledge, CodeXt is the first tool that can automatically extract code protected by Metasploit’s polymorphic xor additive feedback encoder Shikata-Ga-Nai, as well as transient code protected by multi-layer incremental encoding.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
ADMmutate Polymorphic Shellcode Engine, http://ktwo.ca/security.html
Polymorphic XOR Additive Feedback Encoder. In the Metasploit Framework, http://metasploit.com/modules/encoder/x86/shikata_ga_nai
Simple Obfuscation, http://funoverip.net/2011/09/simple-shellcode-obfuscation
Bania, P.: Generic Unpacking of Self-modifying, Aggressive, Packed Binary Programs, http://piotrbania.com/all/articles/pbania-dbi-unpacking2009.pdf
Barrantes, G., Ackley, D., Forrest, S., Stefanovic, D.: Randomized Instruction Set Emulation. ACM Trans. on Information Systems Security 8(1), 3–40 (2005)
Broch, T., Morgenstern, M.: Runtime Packers: The Hidden Problem? http://blackhat.com/presentations/bh-usa-06/BH-US-06-Morgenstern.pdf
Caballero, J., Johnson, N., McCamant, S., Song, D.: Binary Code Extraction and Interface Identification for Security Applications. In: Proc. of the 17th Netw. and Dist. System Security Symp. (February 2010)
Cadar, C., Dunbar, D., Engler, D.: KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs. In: Proc. of the 8th Symp. on Operating Systems Design and Implementation, pp. 209–224 (December 2008)
Chinchani, R., van den Berg, E.: A Fast Static Analysis Approach to Detect Exploit Code Inside Network Flows. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 284–308. Springer, Heidelberg (2006)
Chipounov, V., Kuznetsov, V., Candea, G.: S2E: A Platform for In-Vivo Multi-Path Analysis of Software Systems. In: Proc. of the 16th Int. Conf. on Architectural Support for Programming Languages and Operating Systems, pp. 265–278 (2011)
Detristan, T., Ulenspiegel, T., Malcom, Y., von Underduk, M.: Polymorphic Shellcode Engine Using Spectrum Analysis. Phrack (61), id 9 (August 2003)
Feng, H., Kolesnikov, O., Fogla, P., Lee, W., Gong, W.: Anomaly Detection Using Call Stack Information. In: Proc. of the IEEE Symp. on Security and Privacy (2003)
Forrest, S., Hofmeyr, S.A., Somayaji, A., Longstaff, T.A.: A Sense of Self for Unix Processes. In: Proc. of the IEEE Symp. on Security and Privacy (1996)
Kang, M., Yin, P.: Renovo: A Hidden Code Extractor for Packed Executables. In: Proc. of the 2007 ACM Workshop on Recurring Malcode, pp. 46–53 (2007)
Kruegel, C., Robertson, W., Valeur, F., Vigna, G.: Static Disassembly of Obfuscated Binaries. In: Proc. of the 13th USENIX Security Symp. (August 2004)
Guo, F., Ferrie, P., Chiueh, T.-C.: A Study of the Packer Problem and Its Solutions. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 98–115. Springer, Heidelberg (2008)
Linn, C., Debray, S.: Obfuscation of Executable Code to Improve Resistance to Static Disassembly. In: Proc. of the 10th ACM Conf. on Computer and Commun. Security, pp. 272–280 (October 2003)
Linn, C., Rajagopalan, M., Baker, S., Collberg, C., Debray, S., Hartman, J.: Protecting against Unexpected System Calls. In: Proc. of the 14th USENIX Security Symp. (August 2005)
Martignoni, L., Christodorescu, M., Jha, S.: Omniunpack: Fast, Generic, and Safe Unpacking of Malware. In: Proc. of the 23rd Annu. Computer Security Applications Conf., pp. 431–441 (2007)
Polychronakis, M., Anagnostakis, K., Markatos, E.: Network-level Polymorphic Shellcode Detection Using Emulation. In: Proc. of the IEEE Conf. on Detection of Intrusions and Malware and Vulnerability Assessment, pp. 54–73 (July 2006)
Royal, P., Halpin, M., Dagon, D., Edmonds, R., Lee, W.: PolyUnpack: Automating the Hidden-Code Extraction of Unpack-Executing Malware. In: Proc. of the 22nd Annu. Computer Security Applications Conf. (2006)
Sekar, R., Bendre, M., Bollineni, P.: A Fast Automaton-Based Method for Detecting Anomalous Program Behaviors. In: Proc. of the 2001 IEEE Symp. on Security and Privacy (May 2001)
Sharif, M., Lanzi, A., Giffin, J., Lee, W.: Impeding Malware Analysis Using Conditional Code Obfuscation. In: Proc. of the 15th Network and Distributed System Security Symp. (2008)
Snow, K., Krishnan, S., Monrose, F., Provos, N.: SHELLOS: Enabling Fast Detection and Forensic Analysis of Code Injection Attacks. In: Proc. of the the 20th USENIX Security Symp. (August 2011)
Sharif, M., Yegneswaran, V., Saidi, H., Porras, P., Lee, W.: Eureka: A Framework for Enabling Static Malware Analysis. In: Jajodia, S., Lopez, J. (eds.) ESORICS 2008. LNCS, vol. 5283, pp. 481–500. Springer, Heidelberg (2008)
Tóth, T., Kruegel, C.: Accurate buffer overflow detection via abstract payload execution. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, pp. 274–291. Springer, Heidelberg (2002)
Udupa, S., Debray, S., Madou, M.: Deobfuscation: Reverse Engineering Obfuscated Code. In: Proc. of the 12th Working Conf. on Reverse Engineering (2005)
Wagner, D., Dean, D.: Intrusion Detection via Static Analysis. In: Proc. of the 2001 IEEE Symp. on Security and Privacy (May 2001)
Wang, X., Feng, D., Su, P.: Reconstructing a Packed DLL Binary for Static Analysis. In: Bao, F., Li, H., Wang, G. (eds.) ISPEC 2009. LNCS, vol. 5451, pp. 71–82. Springer, Heidelberg (2009)
Wang, X., Jiang, X.: Artificial Malware Immunization Based on Dynamically Assigned Sense of Self. In: Burmester, M., Tsudik, G., Magliveras, S., Ilić, I. (eds.) ISC 2010. LNCS, vol. 6531, pp. 166–180. Springer, Heidelberg (2011)
Wang, X., Pan, C., Liu, P., Zhu, S.: SigFree: A Signature-free Buffer Overflow Attack Blocker. In: Proc. of the 15th USENIX Security Symp. (August 2006)
Warrender, C., Forrest, S., Pearlmutter, B.: Detecting Intrusions Using System Calls: Alternative Data Models. In: Proc. of IEEE Symp. Security Privacy (1999)
Wu, Y., Chiueh, T.-C., Zhao, C.: Efficient and Automatic Instrumentation for Packed Binaries. In: Park, J.H., Chen, H.-H., Atiquzzaman, M., Lee, C., Kim, T.-H., Yeo, S.-S. (eds.) ISA 2009. LNCS, vol. 5576, pp. 307–316. Springer, Heidelberg (2009)
Yan, W., Zhang, Z., Ansari, N.: Revealing Packed Malware. IEEE Security Privacy 6(5), 65–69 (2008)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Farley, R., Wang, X. (2014). CodeXt: Automatic Extraction of Obfuscated Attack Code from Memory Dump. In: Chow, S.S.M., Camenisch, J., Hui, L.C.K., Yiu, S.M. (eds) Information Security. ISC 2014. Lecture Notes in Computer Science, vol 8783. Springer, Cham. https://doi.org/10.1007/978-3-319-13257-0_32
Download citation
DOI: https://doi.org/10.1007/978-3-319-13257-0_32
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-13256-3
Online ISBN: 978-3-319-13257-0
eBook Packages: Computer ScienceComputer Science (R0)