Abstract
Many existing techniques for reversing data structures in C/C++ binaries are limited to low-level programming constructs, such as individual variables or structs. Unfortunately, without detailed information about a program's pointer structures, forensics and reverse engineering are exceedingly hard. To fill this gap, we propose MemPick, a tool that detects and classifies high-level data structures used in stripped binaries. By analyzing how links between memory objects evolve throughout the program execution, it distinguishes between many commonly used data structures, such as singly-or doubly-linked lists, many types of trees (e.g., AVL, red-black trees, B-trees), and graphs. We evaluate the technique on 10 real world applications and 16 popular libraries. The results show that MemPick can identify the data structures with high accuracy.
Original language | English |
---|---|
Title of host publication | Proceedings - 20th Working Conference on Reverse Engineering, WCRE 2013 |
Pages | 32-41 |
Number of pages | 10 |
DOIs | |
Publication status | Published - 1 Dec 2013 |
Event | 20th Working Conference on Reverse Engineering, WCRE 2013 - Koblenz, Germany Duration: 14 Oct 2013 → 17 Oct 2013 |
Conference
Conference | 20th Working Conference on Reverse Engineering, WCRE 2013 |
---|---|
Country/Territory | Germany |
City | Koblenz |
Period | 14/10/13 → 17/10/13 |