Approxis: A Fast, Robust, Lightweight and Approximate Disassembler Considered in the Field of Memory Forensics

Liebler, Lorenz; Baier, Harald

doi:10.1007/978-3-319-73697-6_12

Lorenz Liebler¹⁷ &
Harald Baier¹⁷

Part of the book series: Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering ((LNICST,volume 216))

Included in the following conference series:

International Conference on Digital Forensics and Cyber Crime

1354 Accesses
1 Citations

Abstract

The discipline of detecting known and unknown code structures in large sets of data is a challenging task. An example could be the examination of memory dumps of an infected system. Memory forensic frameworks rely on system relevant information and the examination of structures which are located within a dump itself. With the constant increasing size of used memory, the creation of additional methods of data reduction (similar to those in disk forensics) are eligible. In the field of disk forensics, approximate matching algorithms are well known. However, in the field of memory forensics, the application of those algorithms is impractical. In this paper we introduce approxis: an approximate disassembler. In contrary to other disassemblers our approach does not rely on an internal disassembler engine, as the system is based on a compressed set of ground truth x86 and x86-64 assemblies. Our first prototype shows a good computational performance and is able to detect code in large sets of raw data. Additionally, our current implementation is able to differentiate between architectures while disassembling. Summarized, approxis is the first attempt to interface approximate matching with the field of memory forensics.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 39.99; Price excludes VAT (USA)

Softcover Book: USD 54.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

References

Andriesse, D., Chen, X., van der Veen, V., Slowinska, A., Bos, H.: An in-depth analysis of disassembly on full-scale x86/x64 binaries. In: USENIX Security Symposium (2016)
Google Scholar
Bilar, D.: Statistical structures: fingerprinting malware for classification and analysis. In: Proceedings of Black Hat Federal 2006 (2006)
Google Scholar
Breitinger, F., Baier, H.: Similarity preserving hashing: eligible properties and a new algorithm MRSH-v2. In: Rogers, M., Seigfried-Spellar, K.C. (eds.) ICDF2C 2012. LNICST, vol. 114, pp. 167–182. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-39891-9_11
Chapter Google Scholar
Dolan-Gavitt, B.: The VAD tree: a process-eye view of physical memory. Digit. Invest. 4, 62–64 (2007)
Article Google Scholar
Gupta, V., Breitinger, F.: How cuckoo filter can improve existing approximate matching techniques. In: James, J.I., Breitinger, F. (eds.) ICDF2C 2015. LNICST, vol. 157, pp. 39–52. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-25512-5_4
Chapter Google Scholar
Roussev, V., Richard, G.G., Marziale, L.: Multi-resolution similarity hashing. Digit. Invest. 4, 105–113 (2007)
Article Google Scholar
Radhakrishnan, D.: Approximate disassembly. Master’s Projects. 155 (2010). http://scholarworks.sjsu.edu/etd_projects/155/
Walters, A., Matheny, B., White, D.: Using hashing to improve volatile memory forensic analysis. In: American Acadaemy of Forensic Sciences Annual Meeting (2008)
Google Scholar
Wartell, R., Zhou, Y., Hamlen, K.W., Kantarcioglu, M., Thuraisingham, B.: Differentiating code from data in x86 binaries. In: Gunopulos, D., Hofmann, T., Malerba, D., Vazirgiannis, M. (eds.) ECML PKDD 2011. LNCS (LNAI), vol. 6913, pp. 522–536. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-23808-6_34
Chapter Google Scholar
White, A., Schatz, B., Foo, E.: Integrity verification of user space code. Digit. Invest. 10, S59–S68 (2013)
Article Google Scholar

Download references

Acknowledgement

This work was supported by the German Federal Ministry of Education and Research (BMBF) as well as by the Hessen State Ministry for Higher Education, Research and the Arts (HMWK) within CRISP (crisp-da.de).

Author information

Authors and Affiliations

da/sec - Biometrics and Internet Security Research Group, University of Applied Sciences, Darmstadt, Germany
Lorenz Liebler & Harald Baier

Authors

Lorenz Liebler
View author publications
You can also search for this author in PubMed Google Scholar
Harald Baier
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Lorenz Liebler .

Editor information

Editors and Affiliations

Brno University of Technology , Brno, Czech Republic
Petr Matoušek
SBA Research Vienna , Vienna, Austria
Martin Schmiedecker

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Liebler, L., Baier, H. (2018). Approxis: A Fast, Robust, Lightweight and Approximate Disassembler Considered in the Field of Memory Forensics. In: Matoušek, P., Schmiedecker, M. (eds) Digital Forensics and Cyber Crime. ICDF2C 2017. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 216. Springer, Cham. https://doi.org/10.1007/978-3-319-73697-6_12

Download citation

DOI: https://doi.org/10.1007/978-3-319-73697-6_12
Published: 06 January 2018
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-73696-9
Online ISBN: 978-3-319-73697-6
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics