Generic Reverse Engineering Architecture with Compiler and Compression Classification Components

Abstract

As more and more applications, libraries, and other types of programs are being executed in untrusted environments they will be targets of attackers. These applications are exposed to malicious programs attempting to exploit some publicly known or newly discovered vulnerability in order to produce an unwanted action. These malicious and/or suspect programs can be installed on a system without the knowledge of the user. In these circumstances reverse engineering would be able to discover the functionality of the programs without actually executing them. This is important because it is necessary to know as much about a program before executing it in a controlled environment.

Since each binary application, e.g. malicious programs for Intel X86 or Java, was produced by a compiler it would be helpful to customize the reverse engineering process by detecting which compiler was used. This research will be experimenting with methods that help detect the compiler used to create an executable program regardless of the programming language used. The method discovered for compiler detection will be added to a generic reverse engineering architecture that will utilize this information to alter the run-time behavior of the generic reverse engineering architecture.