CodeSurfer/x86---A Platform for Analyzing x86 Executables
G. Balakrishnan, R. Gruian, T. Reps, and T. Teitelbaum
CodeSurfer/x86 is a prototype system for analyzing x86 executables.
It uses a static-analysis algorithm called \emph{value-set analysis}
(VSA) to recover intermediate representations that are similar to
those that a compiler creates for a program written in a high-level
language. A major challenge in building an analysis tool for
executables is in providing useful information about operations
involving memory. This is difficult when symbol-table and debugging
information is absent or untrusted. CodeSurfer/x86 overcomes these
challenges to provide an analyst with a powerful and flexible platform
for investigating the properties and behaviors of potentially
malicious code (such as COTS components, plugins, mobile code, worms,
Trojans, and virus-infected code) using (i) CodeSurfer/x86's GUI, (ii)
CodeSurfer/x86's scripting language, which provides access to all of
the intermediate representations that CodeSurfer/x86 builds for the
executable, and (iii) GrammaTech's Path Inspector, which is a tool that
uses a sophisticated pattern-matching engine to answer questions about
the flow of execution in a program.
(Click here to access the paper:
PostScript,
PDF.)