Recovering C++ Objects From Binaries Using Inter-Procedural Data-Flow Analysis

Wesley Jin, Cory Cohen, Charles Hines, Sagar Chaki, Arie Gurfinkel, Jeffrey Havrilla, Priya Narasimhan, Proceedings of the 3rd ACM SIGPLAN Program Protection and Reverse Engineering Workshop (PPREW'14), Jan 25, 2014. Best Paper Award Winner.

Abstract: Object-oriented programming complicates the already difficult task of reverse engineering software, and is being used increasingly by malware authors. Unlike traditional procedural-style code, reverse engineers must understand the complex interactions between object-oriented methods and the shared data structures with which they operate on, a tedious manual process. In this paper, we present a static approach that uses symbolic execution and inter-procedural data flow analysis to discover object instances, data members, and methods of a common class. The key idea behind our work is to track the propagation and usage of a unique object instance reference, called a \emph{this pointer}. Our goal is to help malware reverse engineers to understand how classes are laid out and to identify their methods. We have implemented our approach in a tool called OBJDIGGER, which produced encouraging results when validated on real-world malware samples.