Article

Inspector Gadget: Automated Extraction of Proprietary Gadgets from Malware Binaries

Authors:

Clemens Kolbitsch,

Thorsten Holz,

Christopher Kruegel,

Engin KirdaAuthors Info & Claims

SP '10: Proceedings of the 2010 IEEE Symposium on Security and Privacy

Pages 29 - 44

https://doi.org/10.1109/SP.2010.10

Published: 16 May 2010 Publication History

Publisher Site

Abstract

Unfortunately, malicious software is still an unsolved problem and a major threat on the Internet. An important component in the fight against malicious software is the analysis of malware samples: Only if an analyst understands the behavior of a given sample, she can design appropriate countermeasures. Manual approaches are frequently used to analyze certain key algorithms, such as downloading of encoded updates, or generating new DNS domains for command and control purposes. In this paper, we present a novel approach to automatically extract, from a given binary executable, the algorithm related to a certain activity of the sample. We isolate and extract these instructions and generate a so-called gadget, i.e., a stand-alone component that encapsulates a specific behavior. We make sure that a gadget can autonomously perform a specific task by including all relevant code and data into the gadget such that it can be executed in a self-contained fashion. Gadgets are useful entities in analyzing malicious software: In particular, they are valuable for practitioners, as understanding a certain activity that is embedded in a binary sample (e.g., the update function) is still largely a manual and complex task. Our evaluation with several real-world samples demonstrates that our approach is versatile and useful in practice.

Cited By

View all

Liu XYou WYe YZhang ZHuang JZhang XRoychoudhury APaiva AAbreu RStorey M(2024)FuzzInMem: Fuzzing Programs via In-memory StructuresProceedings of the IEEE/ACM 46th International Conference on Software Engineering10.1145/3597503.3639172(1-13)Online publication date: 20-May-2024
https://dl.acm.org/doi/10.1145/3597503.3639172
Usui TOtsuki YKawakoya YIwamura MMatsuura K(2022)Script Tainting Was Doomed From The Start (By Type Conversion): Converting Script Engines into Dynamic Taint Analysis FrameworksProceedings of the 25th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3545948.3545969(380-394)Online publication date: 26-Oct-2022
https://dl.acm.org/doi/10.1145/3545948.3545969
Yong Wong MLanden MAntonakakis MBlough DRedmiles EAhamad MKim YKim JVigna GShi E(2021)An Inside Look into the Practice of Malware AnalysisProceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security10.1145/3460120.3484759(3053-3069)Online publication date: 12-Nov-2021
https://dl.acm.org/doi/10.1145/3460120.3484759
Show More Cited By

Recommendations

Leo Laporte's 2006 Gadget Guide (Laporte Press)
A Static Method to Discover Deserialization Gadget Chains in Java Programs
ICCIR '22: Proceedings of the 2022 2nd International Conference on Control and Intelligent Robotics

Java deserialization vulnerability has become a server security problem at present. An attacker can execute arbitrary commands by submitting a malicious object for deserialization. However, existing methods for detecting Java deserialization ...
Towards Automating Code-Reuse Attacks Using Synthesized Gadget Chains
Computer Security – ESORICS 2021
Abstract
In the arms race between binary exploitation techniques and mitigation schemes, code-reuse attacks have been proven indispensable. Typically, one of the initial hurdles is that an attacker cannot execute their own code due to countermeasures such ...

Comments

Information & Contributors

Information

Published In

SP '10: Proceedings of the 2010 IEEE Symposium on Security and Privacy

May 2010

504 pages

ISBN:9780769540351

Publisher

IEEE Computer Society

United States

Publication History

Published: 16 May 2010

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

31
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 11 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Liu XYou WYe YZhang ZHuang JZhang XRoychoudhury APaiva AAbreu RStorey M(2024)FuzzInMem: Fuzzing Programs via In-memory StructuresProceedings of the IEEE/ACM 46th International Conference on Software Engineering10.1145/3597503.3639172(1-13)Online publication date: 20-May-2024
https://dl.acm.org/doi/10.1145/3597503.3639172
Usui TOtsuki YKawakoya YIwamura MMatsuura K(2022)Script Tainting Was Doomed From The Start (By Type Conversion): Converting Script Engines into Dynamic Taint Analysis FrameworksProceedings of the 25th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3545948.3545969(380-394)Online publication date: 26-Oct-2022
https://dl.acm.org/doi/10.1145/3545948.3545969
Yong Wong MLanden MAntonakakis MBlough DRedmiles EAhamad MKim YKim JVigna GShi E(2021)An Inside Look into the Practice of Malware AnalysisProceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security10.1145/3460120.3484759(3053-3069)Online publication date: 12-Nov-2021
https://dl.acm.org/doi/10.1145/3460120.3484759
Darki AFaloutsos MHan DFeldmann A(2020)RIoTMANProceedings of the 16th International Conference on emerging Networking EXperiments and Technologies10.1145/3386367.3431317(169-182)Online publication date: 23-Nov-2020
https://dl.acm.org/doi/10.1145/3386367.3431317
Zhang ZYou WTao GWei GKwon YZhang X(2019)BDA: practical dependence analysis for binary executables by unbiased whole-program path sampling and per-path abstract interpretationProceedings of the ACM on Programming Languages10.1145/33605633:OOPSLA(1-31)Online publication date: 10-Oct-2019
https://dl.acm.org/doi/10.1145/3360563
Karande VChandra SLin ZCaballero JKhan LHamlen KKim JAhn GKim SKim YLopez JKim T(2018)BCDProceedings of the 2018 on Asia Conference on Computer and Communications Security10.1145/3196494.3196504(393-398)Online publication date: 29-May-2018
https://dl.acm.org/doi/10.1145/3196494.3196504
Kwon YWang WZheng YZhang XXu DBultan TSen K(2017)CPR: cross platform binary code reuse via platform independent trace programProceedings of the 26th ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3092703.3092707(158-169)Online publication date: 10-Jul-2017
https://dl.acm.org/doi/10.1145/3092703.3092707
Caballero JLin Z(2016)Type Inference on ExecutablesACM Computing Surveys10.1145/289649948:4(1-35)Online publication date: 2-May-2016
https://dl.acm.org/doi/10.1145/2896499
Wang SWang PWu D(2015)Reassembleable disassemblingProceedings of the 24th USENIX Conference on Security Symposium10.5555/2831143.2831183(627-642)Online publication date: 12-Aug-2015
https://dl.acm.org/doi/10.5555/2831143.2831183
Andriesse DRossow CBos HCho KFukuda KPai VSpring N(2015)Reliable Recon in Adversarial Peer-to-Peer BotnetsProceedings of the 2015 Internet Measurement Conference10.1145/2815675.2815682(129-140)Online publication date: 28-Oct-2015
https://dl.acm.org/doi/10.1145/2815675.2815682
Show More Cited By

Abstract

Cited By

Recommendations

Leo Laporte's 2006 Gadget Guide (Laporte Press)

A Static Method to Discover Deserialization Gadget Chains in Java Programs

Towards Automating Code-Reuse Attacks Using Synthesized Gadget Chains

Comments

Information

Published In

Publisher

Publication History

Qualifiers

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

View options

Figures

Other

Share

Share this Publication link

Share on social media

Affiliations