1

Abstract

The number of viruses and malware has grown dramatically over the last few years, and this number is expected to grow in
all likelihood. Due to the increasing amount of malicious software circulated over the Internet, it is almost impossible to
reverse engineering all binary executable software line by line as it is very challenging and time consuming. In order to
provide immediate security solutions and reduce the amount of time on understanding malicious portion consisted in
viruses, Trojans and other general security flow, a comprehensive design of visual debugger is introduced in this paper. The
research involves with the reverse engineering of binary executable by transforming a stream of bytes that constitutes the
program into a corresponding sequence of machine instructions. Both static and dynamic debugger will be developed and
interacted with a graph visualization system to visualize the parse instructions of a targeted executable file in execution
flow graph. With the intention of improving the effectiveness, graph visualization is developed to accelerate the analysis
progress. We reconstruct the targeted programs control flow and broke it into smaller regions. Fragment of malicious
instructions can be easily determined via the control flow graph information.

2 Methodology

4 Results

3 Results

Fig. 3 : Remote HTTP Connection and Response

Fig. 1 : Interaction of Debugger with Mini-Graph

Fig. 2 : Original Entry Point (OEP )Identification of UPX packer

5 Discussion
The approach of identifying malicious programs instruction in fraction code greatly
simplified and speeded the analysis process.
The analysis tool allows tracing process to be done either through forward or
backward approach thereby providing comprehensive binary analysis tools.
The analysis tool able to pin-point the original entry point (OEP) of a packed
malicious executable program quickly.

Fig. 4 : RPC Connection

6 Conclusion
Contact details :
Chan Lee Yee and Mahamod Ismail
E-mail : chanleeyee@f13-labs.net
mahamod@eng.ukm.my
Dept. of Electrical, Electronics & System Engineering
Faculty of Engineering & Built Environment
Universiti Kebangsaan Malaysia
43600 UKM Bangi Selangor MALAYSIA
(Project Grant: UKM-OUP-2012-182)

The framework is based on the integration of both static and

dynamic binary translation.
The ease of loading debugging symbol files brings benefits to the
analyzer in identifying the constants offset function in a higherlevel disassembly automatically.
The Replay component which provides backtrack ability enables
efficient transitions between execution points in a trace in both
forward and backward direction.