Reconstructing a Packed DLL Binary for Static Analysis

  • Xianggen Wang
  • Dengguo Feng
  • Purui Su
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5451)


DLLs (Dynamic Link Libraries) are usually protected by various anti-reversing engineering techniques. One technique commonly used is code packing as packed DLLs hinder static code analysis such as disassembly. In this paper, we propose a technique to reconstruct a binary file for static analysis by loading a DLL and triggering and monitoring the execution of the entry-point function and exported functions of packed DLLs. By monitoring all memory operations and control transfer instructions, our approach extracts the original hidden code which is written into the memory at run-time and constructs a binary based on the original DLL, the codes extracted and the records of control transfers. To demonstrate its effectiveness, we implemented our prototype ReconPD based on QEMU. The experiments show that ReconPD is able to analyze the packed DLLs, yet practical in terms of performance. Moreover, the reconstructed binary files can be successfully analyzed by static analysis tools, such as IDA Pro.


Security Analysis Malware Analysis Binary Reconstructing Dynamic Analysis Static Analysis 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Balakrishnan, G., Gruian, R., Reps, T., Teitelbaum, T.: CodeSurfer/x86—A platform for analyzing x86 executables. In: Bodik, R. (ed.) CC 2005. LNCS, vol. 3443, pp. 250–254. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  2. 2.
    Christodorescu, M., Jha, S.: Static Analysis of Executables to Detect Malicious Patterns. In: Usenix Security Symposium (2003)Google Scholar
  3. 3.
    Christodorescu, M., Jha, S., Seshia, S., Song, D., Bryant, R.: Semantics-aware Malware Detection. In: IEEE Symposium on Security and Privacy (2005)Google Scholar
  4. 4.
  5. 5.
  6. 6.
  7. 7.
    van Oorschot, P.C.: Revisiting software protection. In: Boyd, C., Mao, W. (eds.) ISC 2003. LNCS, vol. 2851, pp. 1–13. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  8. 8.
    Wang, P.: Tamper Resistance for Software Protection, Master Thesis, Information and Communications University, Korea (2005)Google Scholar
  9. 9.
    Kanzaki, Y., Monden, A., Nakamura, M., Matsumoto, K.: Exploiting self-modification mechanism for program protection. In: Proc. of the 27th Annual International Computer Software and Applications Conference, pp. 170–181 (2003)Google Scholar
  10. 10.
    Giffin, J.T., Christodorescu, M., Kruger, L.: Strengthening Software Self-Checksumming via Self-Modifying Code. In: 21st Annual Computer Security Applications Conference, pp. 23–32 (2005)Google Scholar
  11. 11.
    Albert, D.J., Morse, S.P.: Combating Software Piracy by Encryption and Key Management. Computer (1984)Google Scholar
  12. 12.
    Lee, J.-W., Kim, H., Yoon, H.: Tamper resistant software by integrity-based encryption. In: Liew, K.-M., Shen, H., See, S., Cai, W. (eds.) PDCAT 2004. LNCS, vol. 3320, pp. 608–612. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  13. 13.
    Huang, Y.L., Ho, F.S., Tsai, H.Y., Kao, H.M.: A control flow obfuscation method to discourage malicious tampering of software codes. In: ASIACCS 2006, computer and communications security, New York, NY, USA, p. 362 (2006)Google Scholar
  14. 14.
    Linn, C., Debray, S.: Obfuscation of executable code to improve resistance to static disassembly. In: CCS 2003, New York, NY, USA, pp. 290–299 (2003)Google Scholar
  15. 15.
    Wroblewski, G.: General method of program code obfuscation. In: Proc. Int. Conf. on Software Engineering Research and Practice (SERP) (2002)Google Scholar
  16. 16.
    Christodorescu, M., Kinder, J., Jha, S., Katzenbeisser, S., Veith, H.: Malware normalization. Technical Report 1539, University of Wisconsin, USA (2005)Google Scholar
  17. 17.
    DataRescue SA. IDA Pro disassembler: Multi-processor, Windows hosted disassembler and debugger,
  18. 18.
    Royal, P., Halpin, M., Dagon, D., Edmonds, R., Lee, W.: PolyUnpack: Automating the hidden-code extraction of unpack-executing malware. In: ACSAC 2006, USA, pp. 289–300 (2006)Google Scholar
  19. 19.
    Nanda, S., Li, W., Lam, L., Chiueh, T.: BIRD: Binary interpretation using runtime disassembly. In: CGO 2006, USA, pp. 358–370 (2006)Google Scholar
  20. 20.
    Kang, M.G., Poosankam, P., Yin, H.: Renovo: A Hidden Code Extractor for Packed Executables. In: The 5th ACM Workshop on Recurring Malcode (WORM) (2007)Google Scholar
  21. 21.
    Moser, A., Kruegel, C., Kirda, E.: Exploring Multiple Execution Paths for Malware Analysis. In: SP 2007, pp. 231–245 (2007)Google Scholar
  22. 22.
    Bellard, F.: QEMU, a Fast and Portable Dynamic Translator. In: FREENIX Track: 2005 USENIX Annual Technical Conference (2005)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Xianggen Wang
    • 1
    • 2
  • Dengguo Feng
    • 2
  • Purui Su
    • 2
  1. 1.University of Science and Technology of ChinaChina
  2. 2.State Key Laboratory of Information Security, Institute of SoftwareChinese Academy of SciencesChina

Personalised recommendations