Detecting Malicious Code by Binary File Checking

Abstract

The object, library and executable code is stored in binary files. Functionality of a binary file is altered when its content or program source code is changed, causing undesired effects. A direct content change is possible when the intruder knows the structural information of the binary file. The paper describes the structural properties of the binary object files, how the content can be controlled by a possible intruder and what the ways to identify malicious code in such kind of files. Because the object files are inputs in linking processes, early detection of the malicious content is crucial to avoid infection of the binary executable files.Keywords: Malicious Code, Binary File, Malware Detection1 IntroductionThe term of malicious code is assigned to any code or script in any part of a software system, having the intent to cause undesired effects, security breaches and system damag-es. The malicious code gives the feature of malware to the software system which re-sides in. The most known forms of the mal-wares are viruses, worms, Trojans horses, spyware, trapdoors, adware, rootkits, mali-cious active content and so forth.The binary files contains non-text data en-coded in binary form as computer files that are stored and may be processed by a soft-ware system that knows how to deploy, man-age and use a such file in the computer sys-tem or over a computer network. Usually, in software development process, the term of binary file is assigned to hard-disk recipient that stores instructions in binary form which can be executed by the central processing unit of the computer directly. Currently, the binary files have evolved as structure, con-tent and their management as processes at runtime as the hardware, software develop-ment tools and challenges of Information and Communications Technologies (ICT) have advanced.In [1], [3], [4], [5], [6], the following issues are addresses:* Requirements of the secure software de-velopment process;* Compiling and interpreting processes;* Binary code and file formats;* Binary and bytecode file structures;* Disassembly process;* Virtual machine architectures;* Processes of secure code review;* Techniques and tools used in reverse en-gineering;* Methods and techniques for a secure program coding;* Methods and techniques of code obfus-cation;The Windows executable file in the Portable Executable (PE) format is detailed in [4]. In [7], the specifications regarding the PE files and object files used by Microsoftproduct are presented. The object file is referred as Common Object File Format (COFF).Object file is produces by a compiler, assem-bler or translator and represents the input file of the linker. After linking, an executable or library is generated and contain combined parts of the object file. The content of the ob-ject file is not directly executable, but it is a re-locatable code. The linking process is il-lustrated in Figure 1.A comprehensive image of the PE file layout is given in [7], Figure 2.Also, [7] illustrates the COFF file layout, Figure 3.The COFF file header has a length of 20 bytes and is structured in several fields as [7] states and Table 1 highlights.The COFF file header describes the envi-ronment which the object file can be used in and the file structure at highest level.Each COFF section header has a length of 40 bytes and is structured in several fields as [7] states and the Table 2 depicts.The object file is the output of the compiling process. Different source code programs lead to different contents of the object files com-pliant with the layout requirements and con-straints. The COFF file is the foundation of the library and executable files.2 The Object File ContentLet consider the following source code writ-ten in C++ programming language.(ProQuest: ... denotes formula omitted.)The first 20 bytes represents the COFF file header generated by Visual Studio 2010 C++ compiler in Employee. …