MemPick: High-level data structure detection in C/C++ binaries

Istvan Haller, Asia Slowinska, Herbert Bos

Research output: Chapter in Book / Report / Conference proceedingConference contributionAcademicpeer-review

Abstract

Many existing techniques for reversing data structures in C/C++ binaries are limited to low-level programming constructs, such as individual variables or structs. Unfortunately, without detailed information about a program's pointer structures, forensics and reverse engineering are exceedingly hard. To fill this gap, we propose MemPick, a tool that detects and classifies high-level data structures used in stripped binaries. By analyzing how links between memory objects evolve throughout the program execution, it distinguishes between many commonly used data structures, such as singly-or doubly-linked lists, many types of trees (e.g., AVL, red-black trees, B-trees), and graphs. We evaluate the technique on 10 real world applications and 16 popular libraries. The results show that MemPick can identify the data structures with high accuracy.

Original languageEnglish
Title of host publicationProceedings - 20th Working Conference on Reverse Engineering, WCRE 2013
Pages32-41
Number of pages10
DOIs
Publication statusPublished - 1 Dec 2013
Event20th Working Conference on Reverse Engineering, WCRE 2013 - Koblenz, Germany
Duration: 14 Oct 201317 Oct 2013

Conference

Conference20th Working Conference on Reverse Engineering, WCRE 2013
Country/TerritoryGermany
CityKoblenz
Period14/10/1317/10/13

Fingerprint

Dive into the research topics of 'MemPick: High-level data structure detection in C/C++ binaries'. Together they form a unique fingerprint.

Cite this