Identifying functions in binary code with reverse extended control flow graphs

Qiu, Jing Hui; Su, Xin; Ma, Peijun

doi:10.1002/smr.1733

Cited by 2 publications

(2 citation statements)

References 21 publications

(29 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…For functions without classic prologue/epilogue, the above techniques may fail to identify these functions. The only one that identifies functions using the return instructions is reference [4]. Qiu et al identified functions by scanning all possible return instructions and then building reverse extended control flow graphs (RECFG) from return instructions.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Return Instruction Identiﬁcation in Binary Code with Machine Learning

Qiu¹,

Sun²

2019

IJPE

Self Cite

View full text Add to dashboard Cite

Binary code analysis is the main method for malware analysis. In this paper, the analysis is started by identifying return instructions to disassemble binary code. The return instruction identification problem is converted into a binary classification problem: is a byte in binary code the first byte of a return instruction? The 32 bytes around a byte in binary code are considered the feature of the byte. A multilayer perceptron is employed to build the classification model. Then, the model is trained with 1,383 binaries from Windows XP SP3. The evaluation results on several open sources show that our approach is feasible and has high accuracy.

show abstract

Section: Related Workmentioning

confidence: 99%

“…Based on the result, the range of each function in a binary code will be partitioned. Finally, for each identified function return instruction, a reverse extended control graph will be used to identify the function entry point [4] and finally finish the function identification work.…”

Section: Introductionmentioning

confidence: 99%

Return Instruction Identiﬁcation in Binary Code with Machine Learning

Qiu¹,

Sun²

2019

IJPE

Self Cite

View full text Add to dashboard Cite

show abstract

Return Instruction Classification in Binary Code Using Machine Learning

Qiu¹,

Geng²,

Dong³

2022

Int. J. Soft. Eng. Knowl. Eng.

View full text Add to dashboard Cite

Binary code analysis is vital in source code unavailable cases, such as malware analysis and software vulnerability mining. Its first step could be function identification. Most function identification methods are based on function prologs/epilogs. However, functions may not have standard prologs/epilogs. To identify these functions, we need to use other methods. One approach is to identify return instructions first and then identify the start of a function. Currently, the multi-layer perceptron model is exploited to identify and validate a return instruction at a specific location. On this basis, a new approach is proposed to improve accuracy and provide more details. Specifically, a return instruction is classified into three classes: (1) false return instruction, (2) true return instruction inner a function but not the last instruction, and (3) true return instruction at the end of a function. The evaluation is performed on 5782 real-world binaries. Meanwhile, common classifiers including fully connected neural network, Two-layer Bidirectional Recurrent Neural Network (TBRNN), Two-layer Bidirectional Gate Recurrent Unit (TBGRU), Two-layer Bidirectional Long Short-term Memory Network (TBLSTM), Decision Tree, Random Forest, XGBoost, and Support Vector Machine (SVM) are evaluated on the same data set. The result shows that TBLSTM achieves an accuracy of 99.78%, which is higher than that of other classifiers in the evaluation, including the state-of-the-art tool IDA Pro 7.7.

show abstract

Identifying functions in binary code with reverse extended control flow graphs

Cited by 2 publications

References 21 publications

Return Instruction Identiﬁcation in Binary Code with Machine Learning

Return Instruction Identiﬁcation in Binary Code with Machine Learning

Return Instruction Classification in Binary Code Using Machine Learning

Contact Info

Product

Resources

About