Malware capability reverse engineering via coordination with symbolic analysis

Abstract

A key feature of cyber attack investigations is to quickly understand the capabilities and payloads of malware so proper countermeasures can be adopted. Unfortunately, due to a lack of execution insight, current techniques for exposing these capabilities are prohibitively limited. Enter FORSEE, a tool developed by CyFI Lab researchers that leverages memory image forensics and symbolic analysis to quickly and efficiently discover capabilities in malware. FORSEE uses the concrete execution state extracted from a malware's memory to explore potential execution paths starting from the point of capture. By coordinating their analysis with FORSEE, malware analysts can simplify and accelerate their reverse engineering efforts. Similar to this use case, the work presented in this thesis coordinates the symbolic analysis from FORSEE with reverse engineering to assess FORSEE's effectiveness and assist in future development.