Abstract: Malware writers make use of exception return of subroutine to evade detecting by malware detectors. To crack the technique, this paper proposes a novel disassembly algorithm. This algorithm decodes an executable file twice and emulates the operations on memory stack. Through this twice-decoding and emulation process, this algorithm can be used to recognize exception returns and thus ensure the correctness of a decoding process. Compared with two commonly used disassemblers IDAPro and OBJDump, this algorithm is better at identifying this kind of exception and improves the rate of disassembly.

Key words: disassembly, code obfuscation, malware

摘要： 针对子程序异常返回对反汇编操作的干扰，提出一种能够有效对抗该技术的反汇编算法。该算法通过2遍解码流程对目标可执行程序进行扫描，模拟代码执行过程中对内存栈的操作，从而正确解码出经过混淆处理的可执行程序。通过与2款常用反汇编器IDAPro和OBJDump的反汇编结果进行比较，证明该算法能够有效地识别出子程序异常返回的情况，从而有效提高反汇编的正确率。

关键词: 反汇编, 代码混淆, 恶意程序

CLC Number: 

• TP301.6