Next: Detection of Self-modifying and Up: Proposed Method Previous: Proposed Method
We exploit the O(N) disassembly algorithm used in SigFree[6] to disassemble the input data stream and generate a control flow graph. Here 6#6 is the length of the data stream. It first decodes all possible instructions and finds all possible transfer of control in a data stream, and then creates a control flow graph based on these instructions and transfers of control. We note that in the presence of indirect jump and self-modifying obfuscation, it is impossible to completely and statically disassemble the entire body of the exploit code embedded in a data stream using the recursive traversal algorithm. Fortunately, the partially disassembled result may already provide some strong evidences of self-modifying and/or indirect jump behavior.