Abstract
In software security and malware analysis, researchers often need to directly manipulate binary program -- benign or malicious -- without source code. A useful pair of binary manipulation primitives are binary functional component extraction and embedding, for extracting a functional component from a binary program and for embedding a functional component in a binary program, respectively. Such primitives are applicable to a wide range of security scenarios such as legacy program hardening, binary semantic patching, and malware function analysis. Unfortunately, existing binary rewriting techniques are inadequate to support binary function carving and embedding. In this paper, we present BISTRO, a system that supports these primitives without symbolic information, relocation information, or compiler support. BISTRO preserves functional correctness of both the extracted functional component and the stretched binary program (with the component embedded) by properly patching them using -- interestingly -- the same technique and algorithm. We have implemented an IDA Pro-based prototype of BISTRO and evaluated it using real-world Windows software. Our results show that BISTRO performs these primitives efficiently; Each stretched binary program only incurs small time and space overhead. Furthermore, we demonstrate BISTRO's capabilities in various security applications.
