search menu icon-carat-right cmu-wordmark

Recovering C++ Objects From Binaries Using Inter-Procedural Data-Flow Analysis

October 2014 Article
Wesley Jin, Cory Cohen, Jeff Gennari, Chuck Hines, Sagar Chaki, Arie Gurfinkel, Jeff Havrilla, Priya Narasimhan (Carnegie Mellon University)

In this article, the authors present a static approach that uses symbolic execution and inter-procedural data flow analysis to discover object instances, data members, and methods of a common class.

Publisher:

ACM, Inc.

Abstract

Object-oriented programming complicates the already difficult task of reverse engineering software, and is being used increasingly by malware authors. Unlike traditional procedural-style code, reverse engineers must understand the complex interactions between object-oriented methods and the shared data structures with which they operate on, a tedious manual process.

In this paper, we present a static approach that uses symbolic execution and inter-procedural data flow analysis to discover object instances, data members, and methods of a common class. The key idea behind our work is to track the propagation and usage of a unique object instance reference, called a this pointer. Our goal is to help malware reverse engineers to understand how classes are laid out and to identify their methods. We have implemented our approach in a tool called ObJDIGGER, which produced encouraging results when validated on real-world malware samples.