Cross-Architecture Function Matching Public
Downloadable Contentopen in viewer
Malware almost always comes without the source code; therefore, it is necessary for reverse engineers to examine malware binaries at the assembly level. Malware authors frequently re-use pieces of code, therefore new malware can often overlap with other already analyzed binaries. Function matching assists in binary diffing in that it reduces the manual labor required to examine each file and assists in identifying the differences between the two. If functions that have been previously analyzed can be identified in new malware, those results are helpful in increasing the speed and accuracy of an analyst’s reverse engineering. However, function matching becomes more difficult when matching across different architectures. Although the binaries may have been compiled from the same source code, the machine instructions cannot be compared directly, due to different instruction sets, calling conventions, register sets, etc. among different architectures. Our matcher, the PCodeMatcher, uses PCode, an intermediate representation language developed by the NSA for use in Ghidra, their reverse engineering framework. PCode is used by Ghidra to decompile machine instructions into C code independent of architecture. Using a fuzzy string-matching technique, we were able to match 70% of functions in our cross-architecture sample set. We believe that, with further development, function matching using PCode could be a valuable tool for analyzing binaries in reverse engineering.
- Last modified
- Date created
- Resource type
- Rights statement
Permanent link to this page: https://digital.wpi.edu/show/sj139457x