P. 1
Trace Surfing Presentation (1)

Trace Surfing Presentation (1)

|Views: 1,206|Likes:
Published by anon_9868845

More info:

Published by: anon_9868845 on Sep 26, 2012
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less





●How can we further validate our results?

Detecting calling convention

●We have collected a fair amount of information,
how can we propagate this information?

Propagating the type information into basic blocks
not executed on the trace

Or we can be lazy and let HexRays decompiler to do
it for us :)

Calling convention detection

●A spurious function calls can happen when a
non method function is called on a method

●The function call can receive the 'this' pointer
of the previous method call

●We avoid this case by ruling out all the
function calls that do not behave as thiscall

Calling convention detection

Given a function get its CFG

Obtain a DAG (direct acyclic graph)

Do a topological sort

Assume ECX is a 'this' pointer

Add it to a list of 'this' aliases

For each basic block

If instruction kills any of the 'this' aliases

If the alias list is empty return “not thiscall”

If the instruction aliases one of the 'this' pointers

Add the new alias to the list

If the instruction accesses memory using one of the aliases of
'this' then the function is likely 'thiscall'

Calling convention detection

●This can fail too

●Generally it gives a correct answer in 90% of
the analyzed function

These results were validated by analyzing binaries
with symbols available

●In practice this information allows us to detect
spurious functions detected as methods of a

Example: calc.exe types

Example: calc.exe types

Example: calc.exe types

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->