CodeXt: Automatic Extraction of Obfuscated Attack Code from Memory Dump

Capítulo de livro Acesso aberto Revisado por pares

CodeXt: Automatic Extraction of Obfuscated Attack Code from Memory Dump

2014; Springer Science+Business Media; Linguagem: Inglês

10.1007/978-3-319-13257-0_32

ISSN

1611-3349

Autores

Ryan Farley, Xinyuan Wang,

Tópico(s)

Software Testing and Debugging Techniques

Resumo

In this paper, we present CodeXt—a novel malware code extraction framework built upon selective symbolic execution (S2E). Upon real-time detection of the attack, CodeXt is able to automatically and accurately pinpoint the exact start and boundaries of the attack code even if it is mingled with random bytes in the memory dump. CodeXt has a generic way of handling self-modifying code and multiple layers of encoding, and it can automatically extract the complete hidden and transient code protected by multiple layers of sophisticated encoders without using any signature or pattern of the decoder. To the best of our knowledge, CodeXt is the first tool that can automatically extract code protected by Metasploit’s polymorphic xor additive feedback encoder Shikata-Ga-Nai, as well as transient code protected by multi-layer incremental encoding.

Ver no editor

Altmetric

PlumX

Entrar

Lembrar minha senha

Receber meu e-mail de confirmação

CodeXt: Automatic Extraction of Obfuscated Attack Code from Memory Dump