Publication Details

Exploiting C++ Mechanisms in Retargetable Machine-Code Decompilation

MATULA, P.; KOLÁŘ, D.; JAKUB, D. Exploiting C++ Mechanisms in Retargetable Machine-Code Decompilation. Proceedings of the 10th Doctoral Workshop on Mathematical and Engineering Methods in Computer Science. Telč: 2015. p. 1-12.

Czech title

Využití C++ Mechanismů při Zpětném Překladu

Type

conference paper

Language

English

Authors

Matula Peter, Ing.
Kolář Dušan, doc. Dr. Ing. (DIFS)
Jakub Dušan, Ing.

Keywords

decompilation, reverse engineering, executable analysis, C++ reversing, virtual table, RTTI

Abstract

Retargetable machine-code decompilation transforms a platform independent executable into a high level language (HLL). Decompilers may be used by reverse engineers to manually inspect suspicious binaries (e.g. malicious software). Most existing decompilers are translating low-level machine code into the C language, since it is simple, yet more readable. Until recently, combination of a high-level C and low-level assembly representations was enough to reverse most applications. However, due to the increasing usage of C++ programming language in creation of more complex malware, understanding reversed programs have become much more difficult. Decompilation of C++ programs into C often produces huge and enigmatic outputs. Therefore, new techniques reconstructing C++ features have to be developed.

This paper presents several such techniques. Based on C++ specification, known ABIs and existing research, it recognises and analyses several C++ mechanisms like virtual tables or RTTI structures. Moreover, the results are used by AVG Retargetable Decompiler to make its output more readable. The presented techniques are experimentally evaluated on several real-world programs and compared with other state-of-the-art analyzers.

Published

2015

Pages

1–12

Proceedings

Proceedings of the 10th Doctoral Workshop on Mathematical and Engineering Methods in Computer Science

Conference

MEMICS'15 - 10th Doctoral Workshop on Mathematical and Engineering Methods in Computer Science, Telč, CZ

Place

Telč

BibTeX

@inproceedings{BUT192993,
  author="Peter {Matula} and Dušan {Kolář} and Dušan {Jakub}",
  title="Exploiting C++ Mechanisms in Retargetable Machine-Code Decompilation",
  booktitle="Proceedings of the 10th Doctoral Workshop on Mathematical and Engineering Methods in Computer Science",
  year="2015",
  pages="1--12",
  address="Telč"
}