Recent years have witnessed code reuse techniques being employed to craft entire programs such as Jekyll apps, malware droppers, and persistent data-only rootkits. The increased complexity observed in such payloads calls for specific techniques and tools that can help in their analysis. In this paper we propose novel ideas for static analysis of ROP code and apply them to study prominent payloads targeting the Windows platform. Unlike state-of-the-art approaches, we do not require the ROP activation context be reproduced for the analysis. We then propose a guessing mechanism to identify gadget sources for payloads found in documents or over the network.
2019, EuroSec '19 Proceedings of the 12th European Workshop on Systems Security, Pages -
Static analysis of ROP code (04b Atto di convegno in volume)
D'Elia D. C., Coppa E., Salvati A., Demetrescu C.