CONTROL FLOW GRAPH RECOVERY FOR DYNAMICALLY LOADED CODE VIA SYMBOLIC LIBRARY RESOLUTION

Oleksandr Mostovyi

doi:10.20998/2079-0023.2026.01.12

Authors

Oleksandr Mostovyi V.M. Glushkov Institute of Cybernetics of the NAS of Ukraine, Ukraine https://orcid.org/0009-0006-6687-866X

DOI:

https://doi.org/10.20998/2079-0023.2026.01.12

Keywords:

Binary analysis, control flow graph, dynamic loading, symbolic execution, malware analysis

Abstract

Control Flow Graphs are one of the main data sources for software analysis that use dynamic and static software analysis methods. Protected software and modern malware increasingly depend on dynamic code loading techniques to evade static analysis. Usage of runtime dynamic linking mechanisms introduces unresolved indirect calls that stop static Control Flow Graph recovery. This serves to hide dynamic library that can be used for prevention of security analysis. To address this limitation, an analysis technique is proposed that combines symbolic execution with speculative library preloading to recover Control Flow Graphs from binaries by using dynamic loading. The methodology uses custom software hooks that intercept dynamic loading operations during symbolic execution and perform actual library loading into the analysis state. The module is based on a two-level architecture that stores interception functions and instruction tracking at the same time, all within a symbolic execution environment. To avoid executing potentially malicious code that dynamic instrumentation tools require, the analysis was conducted entirely through symbolic execution, making it safe for malware analysis. For evaluation a batch of 16 synthetic benchmarks was used, employing various obfuscation techniques including encrypted library names, network-triggered loading, environment-derived paths, multi-stage decryption chains, fileless execution and manual executable and linkable format parsing. The experiments results show that module recovers on average 29.8 % additional Control Flow Graph nodes and 26.5 % additional edges compared to static analysis alone, achieves 100 % precision and 100 % recall in library detection, with all discoveries validated through Frida-based dynamic instrumentation.

References

Shoshitaishvili Y., Wang R., Salls C., Stephens N., Polino M., Dutcher A., Grosen J., Feng S., Hauser C., Kruegel C., Vigna G. SoK: (State of) The Art of War: Offensive Techniques in Binary Analysis. IEEE Symposium on Security and Privacy (S&P). 2016, pp. 138–157. DOI: 10.1109/SP.2016.17.

Abadi M. Control-Flow Integrity Principles, Implementations, and Applications. ACM Transactions on Information and System Security (TISSEC). 2009, vol. 13, no. 1, pp. 1–40. DOI: 10.1145/1609956.1609960.

Zhang M., Sekar R. Control Flow Integrity for COTS Binaries. USENIX Security Symposium. 2013, pp. 337–352.

Wang R., Shoshitaishvili Y., Bianchi A., Machiry A., Grosen J., Grosen P., Kruegel C., Vigna G. Ramblr: Making Reassembly Great Again. Network and Distributed System Security Symposium (NDSS). 2017. DOI: 10.14722/NDSS.2017.23225.

Anderson, H. S., Kharkar, A., Filar, B., Evans, D. and Roth, P. Learning to Evade Static PE Machine Learning Malware Models via Reinforcement Learning. arXiv preprint, arXiv:1801.08917. 2018. DOI: 10.48550/arXiv.1801.08917.

Pewny J., Garmany B., Gawlik R., Rossow C., Holz T. CrossArchitecture Bug Search in Binary Executables. IEEE Symposium on Security and Privacy (S&P). 2015, pp. 709–724. DOI: 10.1109/SP.2015.49.

Hex-Rays. IDA Pro: The Interactive Disassembler. 2024. Available at: https://hex-rays.com/ida-pro/ (accessed 30.11.2025).

National Security Agency. Ghidra: A Software Reverse Engineering Framework. 2019. Available at: https://ghidra-sre.org/ (accessed 30.11.2025).

Luk C., Cohn R., Muth R., Patil H., Klauser A., Lowney G., Wallace S., Reddi V. J., Hazelwood K. Pin: Building Customized Program Analysis Tools with Dynamic Instrumentation. ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI). 2005, pp. 190–200. DOI: 10.1145/1065010.1065034.

Oleavy O. A. Frida: A World-Class Dynamic Instrumentation Framework. 2013. Available at: https://frida.re (accessed 30.11.2025).

Chipounov V., Kuznetsov V., Candea G. S2E: A Platform for In-Vivo Multi-Path Analysis of Software Systems. International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS). 2011, pp. 265–278. DOI: 10.1145/1950365.1950396.

IEEE. IEEE Standard for Information Technology-Portable Operating System Interface (POSIX®) Base Specifications, Issue 7. IEEE Std 1003.1-2017. IEEE/The Open Group, 2018. DOI: 10.1109/IEEESTD.2018.8277153.

Tool Interface Standard (TIS) Executable and Linking Format (ELF) Specification, Version 1.2. TIS Committee, 1995. 83 p.

De Moura L., Bjørner N. Z3: An Efficient SMT Solver. International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS). Springer, 2008, pp. 337–340. DOI: 10.1007/978-3-540-78800-3_24.

Nethercote N., Seward J. Valgrind: A Framework for Heavyweight Dynamic Binary Instrumentation. ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI). ACM, 2007, pp. 89–100. DOI: 10.1145/1250734.1250746.

Shacham H. The Geometry of Innocent Flesh on the Bone: Returninto-libc without Function Calls (on the x86). ACM Conference on Computer and Communications Security (CCS). ACM, 2007, pp. 552–561. DOI: 10.1145/1315245.1315313.

Mostovyi O., DynPathResolver: Source Code and Experiment Available at: https://github.com/smander/dynpathresolver (accessed 31.02.2026).

CONTROL FLOW GRAPH RECOVERY FOR DYNAMICALLY LOADED CODE VIA SYMBOLIC LIBRARY RESOLUTION

Authors

DOI:

Keywords:

Abstract

References

Downloads

Published

How to Cite

Issue

Section

License

Information

Developed By