Approaching Retargetable Static, Dynamic, and Hybrid Executable-Code Analysis

Křoustek, Jakub; Kolář, Dušan

doi:10.18267/j.aip.10

Cited by 2 publications

(2 citation statements)

References 8 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The goal is to produce structured code consisting of proper control-flow constructs and containing as few gotos as possible to increase output comprehensibility. The Retargetable Decompiler (RetDec) [27] uses capstone for disassembling and LLVM IR as an intermediate language to minimize the overhead of adding support for new architectures. Overall, many other publications regarding RetDec exist addressing different aspects such as idiom handling [28].…”

Section: Related Workmentioning

confidence: 99%

dewolf: Improving Decompilation by leveraging User Surveys

Enders¹,

C.²,

Bergmann³

et al. 2023

Proceedings 2023 Workshop on Binary Analysis Research

View full text Add to dashboard Cite

Analyzing third-party software such as malware is a crucial task for security analysts. Although various approaches for automatic analysis exist and are the subject of ongoing research, analysts often have to resort to manual static analysis to get a deep understanding of a given binary sample. Since the source code of provided samples is rarely available, analysts regularly employ decompilers for easier and faster comprehension than analyzing a binary's disassembly.In this paper, we introduce our decompilation approach dewolf. We describe a variety of improvements over the previous academic state-of-the-art decompiler and some novel algorithms to enhance readability and comprehension, focusing on manual analysis. To evaluate our approach and to obtain a better insight into the analysts' needs, we conducted three user surveys. The results indicate that dewolf is suitable for malware comprehension and that its output quality noticeably exceeds Ghidra and Hex-Rays in certain aspects. Furthermore, our results imply that decompilers aiming at manual analysis should be highly configurable to respect individual user preferences. Additionally, future decompilers should not necessarily follow the unwritten rule to stick to the code-structure dictated by the assembly in order to produce readable output. In fact, the few cases where dewolf already cracks this rule leads to its results considerably exceeding other decompilers. We publish a prototype implementation of dewolf and all survey results [1], [2].

show abstract

Section: Related Workmentioning

confidence: 99%

dewolf: Improving Decompilation by leveraging User Surveys

Enders¹,

C.²,

Bergmann³

et al. 2023

Proceedings 2023 Workshop on Binary Analysis Research

View full text Add to dashboard Cite

show abstract

“…Reverse engineering of binary code has been the subject of many research works [2], [6], [38]. Research [2], [19], commercial (HexRays) and open source (GHIDRA) decompilers have been developed targeting the C language using the traditional approach. There have been attempts to make traditional methods produce more human-readable code and construct more structured control flow (e.g.…”

Section: Related Workmentioning

confidence: 99%

Beyond the C: Retargetable Decompilation using Neural Machine Translation

Hosseini¹,

Dolan-Gavitt²

2022

Proceedings 2022 Workshop on Binary Analysis Research

View full text Add to dashboard Cite

The problem of reversing the compilation process, decompilation, is an important tool in reverse engineering of computer software. Recently, researchers have proposed using techniques from neural machine translation to automate the process in decompilation. Although such techniques hold the promise of targeting a wider range of source and assembly languages, to date they have primarily targeted C code. In this paper we argue that existing neural decompilers have achieved higher accuracy at the cost of requiring language-specific domain knowledge such as tokenizers and parsers to build an abstract syntax tree (AST) for the source language, which increases the overhead of supporting new languages. We explore a different tradeoff that, to the extent possible, treats the assembly and source languages as plain text, and show that this allows us to build a decompiler that is easily retargetable to new languages. We evaluate our prototype decompiler, Beyond The C (BTC), on Go, Fortran, OCaml, and C, and examine the impact of parameters such as tokenization and training data selection on the quality of decompilation, finding that it achieves comparable decompilation results to prior work in neural decompilation with significantly less domain knowledge. We will release our training data, trained decompilation models, and code to help encourage future research into language-agnostic decompilation.

show abstract

Approaching Retargetable Static, Dynamic, and Hybrid Executable-Code Analysis

Cited by 2 publications

References 8 publications

dewolf: Improving Decompilation by leveraging User Surveys

dewolf: Improving Decompilation by leveraging User Surveys

Beyond the C: Retargetable Decompilation using Neural Machine Translation

Contact Info

Product

Resources

About