REcover: towards recovering object files from stripped binary executables

REcover: towards recovering object files from stripped binary executables

연구 분야: Analysis

학회: Journal of Computer Virology and Hacking Techniques

Reverse engineering complex proprietary software is a tedious and time consuming task. A fair amount of the overall effort is usually devoted to locating those software components which are responsible for the functionality of interest (e.g., a proprietary encryption algorithm). To aid this process, several tools, available in the public domain, can be used, implementing sophisticated algorithms for control-flow recovery, stack frame recovery, data type inference, decompilation etc. However, the important problem of decomposing a binary executable to its constituent object files (or compile-units) has not been, in our opinion, sufficiently studied. In this paper we present novel techniques for estimating the number, as well as the boundaries, of compile-units in binary executables. We present algorithms which recover information that improves the precision degree in reverse engineering tasks. In addition, our algorithms can be used to reduce the effort of locating, recovering and understanding specific functionalities of closed-source software. We evaluate our algorithms on the public DeepBinDiff ELF dataset, consisting of 2000 binaries, as well as two larger executables of GNU GDB, built for ARM and AArch64 and show that they consistently approach the ground-truth, with an average recovery precision close to 75%. Furthermore, we show how our research can aid in binary diffing applications, by comparing the recovered compile-unit structure of a pair of Microsoft Windows kernel images. We make our prototype implementation, written in Python and named REcover, publicly available for further evaluation by the reverse engineering community.