Determining the Image Base of ARM Firmware by Matching Function Addresses

Firmware is software embedded in a device and acts as the most fundamental work of a system. Disassembly is a necessary step to understand the operational mechanism or detect the vulnerabilities of the firmware. When disassembling a firmware, it should first obtain the processor type of running environment and the image base of firmware. In general, the processor type can be obtained by tearing down the device or consulting the product manual. However, at present, there is still no automated tool that can be used to obtain the image base of all types of firmware. In this paper, we focus on firmware in ARM and propose an automated method to determine the image base address. Firstly, by studying the storage rule and loading mode of the function address, we can obtain the function offset and the function address loaded by LDR instruction, respectively. Then, with this information, we propose an algorithm, named Determining image Base by Matching Function Addresses (DBMFA), to determine the image base. The experimental results indicate that the proposed method can successfully determine the image base of firmware which uses LDR instruction to load function address.

A Self-Relocation Based Method for Malware Detection

Malware (malicious software) is software designed to disrupt computer operation, gather sensitive information, or gain unauthorized access to a computer system. Most malwares propagate themselves throughout the Internet by self-relocation. Self-relocation is a built-in module in most malwares that gets the base address of the code to correctly infect the other programs. Since most legitimate computer programs do not need the self-relocate module, the detection of malware with self-relocation module can be viewed as a promising approach for malware detection. This paper presents a self-relocation based method for both known and previously unknown malwares. The experiments indicate that the proposed approach has better ability to detect known and unknown malwares than other methods.

Study on the Addressing Mode of Assembly Language Instruction Set of 80C51 MCU

The addressing mode of assembly language instruction set of 80C51 MCU is redefined. The addressing mode is classified according to two standards separately. The addressing mode is the method decrypting operand address in the instruction, or finding the next instruction address. The mode to find the operand address includes direct addressing, register addressing, register indirect addressing and base address plus index indirect addressing. The mode to find the next instruction address includes sequential addressing, base address plus index indirect addressing and relative addressing.