Analyzing third-party software such as malware or firmware is a crucial task for security analysts. Although various approaches for automatic analysis exist and are the subject of ongoing research, analysts often have to resort to manual static analysis to get a deep understanding of a given binary sample. Since the source code of encountered samples is rarely available, analysts regularly employ decompilers for easier and faster comprehension than analyzing a binary's disassembly. In this paper, we introduce our decompilation approach dewolf. We developed a variety of improvements over the previous academic state-of-the-art decompiler and some novel algorithms to enhance readability and comprehension, focusing on manual analysis. To evaluate our approach and to obtain a better insight into the analysts' needs, we conducted three user surveys. The results indicate that dewolf is suitable for malware comprehension and that its output quality noticeably exceeds Ghidra and Hex-Rays in certain aspects. Furthermore, our results imply that decompilers aiming at manual analysis should be highly configurable to respect individual user preferences. Additionally, future decompilers should not necessarily follow the unwritten rule to stick to the code-structure dictated by the assembly in order to produce readable output. In fact, the few cases where dewolf already cracks this rule lead to its results considerably exceeding other decompilers. We publish a prototype implementation of dewolf and all survey results on GitHub.
翻译:分析第三方软件(如恶意软件或固态软件)的分析是安全分析人员的一项关键任务。虽然存在各种自动分析方法,并且是正在进行的研究的主题,但分析人员往往不得不采用人工静态分析,以便深入了解特定的二进制样本。由于很少能获得所见样本的来源代码,分析人员经常使用解腐器,以便比分析二进制解剖法更容易和更快地理解。在本文中,我们引入了我们的解腐方法去狼格。我们开发了与以往的学术状态解剖法和一些新型算法相比的各种改进,以提高可读性和理解性,重点是手动分析。为了评估我们的方法并更好地了解分析员的需要,我们进行了三次用户调查。结果显示,解腐剂适合误解,其产出质量明显超过二进制解析法的Ghidra和Hex-Rays的某些方面。此外,我们的结果表明,旨在进行手工分析的脱腐蚀者应当高度的易分解,以尊重个别用户的偏好。此外,未来解析者应当不易理解和重新定义,因此,要大量遵循这一规则。