Control Flow Graph Recovery for Dynamically Loaded Code via Symbolic Library Resolution
arXiv SecurityArchived May 29, 2026✓ Full text saved
arXiv:2605.29620v1 Announce Type: new Abstract: Control Flow Graphs are one of the main data sources for software analysis that use dynamic and static software analysis methods. Protected software and modern malware increasingly depend on dynamic code loading techniques to evade static analysis. Usage of runtime dynamic linking mechanisms introduces unresolved indirect calls that stop static Control Flow Graph recovery. This serves to hide dynamic library that can be used for prevention of secur
Full text archived locally
✦ AI Summary· Claude Sonnet
Computer Science > Cryptography and Security
[Submitted on 28 May 2026]
Control Flow Graph Recovery for Dynamically Loaded Code via Symbolic Library Resolution
Oleksandr Mostovyi
Control Flow Graphs are one of the main data sources for software analysis that use dynamic and static software analysis methods. Protected software and modern malware increasingly depend on dynamic code loading techniques to evade static analysis. Usage of runtime dynamic linking mechanisms introduces unresolved indirect calls that stop static Control Flow Graph recovery. This serves to hide dynamic library that can be used for prevention of security analysis. To address this limitation, an analysis technique is proposed that combines symbolic execution with speculative library preloading to recover Control Flow Graphs from binaries by using dynamic loading. The methodology uses custom software hooks that intercept dynamic loading operations during symbolic execution and perform actual library loading into the analysis state. The module is based on a two-level architecture that stores interception functions and instruction tracking at the same time, all within a symbolic execution environment. To avoid executing potentially malicious code that dynamic instrumentation tools require, the analysis was conducted entirely through symbolic execution, making it safe for malware analysis. For evaluation a batch of 16 synthetic benchmarks was used, employing various obfuscation techniques including encrypted library names, network-triggered loading, environment-derived paths, multi-stage decryption chains, fileless execution and manual executable and linkable format parsing. The experiments results show that module recovers on average 29.8 % additional Control Flow Graph nodes and 26.5 % additional edges compared to static analysis alone, achieves 100 % precision and 100 % recall in library detection, with all discoveries validated through Frida-based dynamic instrumentation.
Comments: 6 pages, 5 figures
Subjects: Cryptography and Security (cs.CR); Software Engineering (cs.SE)
ACM classes: D.4.6; D.2.5; F.3.2
Cite as: arXiv:2605.29620 [cs.CR]
(or arXiv:2605.29620v1 [cs.CR] for this version)
https://doi.org/10.48550/arXiv.2605.29620
Focus to learn more
Journal reference: Bulletin of the National Technical University "KhPI". Series: System Analysis, Control and Information Technologies, No. 1 (15), pp. 74-79, 2026
Related DOI:
https://doi.org/10.20998/2079-0023.2026.01.12
Focus to learn more
Submission history
From: Oleksandr Mostovyi [view email]
[v1] Thu, 28 May 2026 08:54:54 UTC (862 KB)
Access Paper:
view license
Current browse context:
cs.CR
< prev | next >
new | recent | 2026-05
Change to browse by:
cs
cs.SE
References & Citations
NASA ADS
Google Scholar
Semantic Scholar
Export BibTeX Citation
Bookmark
Bibliographic Tools
Bibliographic and Citation Tools
Bibliographic Explorer Toggle
Bibliographic Explorer (What is the Explorer?)
Connected Papers Toggle
Connected Papers (What is Connected Papers?)
Litmaps Toggle
Litmaps (What is Litmaps?)
scite.ai Toggle
scite Smart Citations (What are Smart Citations?)
Code, Data, Media
Demos
Related Papers
About arXivLabs
Which authors of this paper are endorsers? | Disable MathJax (What is MathJax?)