A Generic Approach to Automatic Deobfuscation of Executable Code

Malicious software are usually obfuscated to avoid detection and resist analysis. When new malware is encountered, such obfuscations have to be penetrated or removed ("deobfuscated") in order to understand the internal logic of the code and devise countermeasures. This paper discusses a ge...

Full description

Saved in:
Bibliographic Details
Published in:Proceedings - IEEE Symposium on Security and Privacy pp. 674 - 691
Main Authors: Yadegari, Babak, Johannesmeyer, Brian, Whitely, Ben, Debray, Saumya
Format: Conference Proceeding
Language:English
Published: IEEE 01.05.2015
Subjects:
Algorithm design and analysis
Deobfuscation
IP networks
Libraries
Programming
Return Oriented Programming
Reverse engineering
Security
Semantics
Virtualization-Obfuscation
ISSN:1081-6011
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Malicious software are usually obfuscated to avoid detection and resist analysis. When new malware is encountered, such obfuscations have to be penetrated or removed ("deobfuscated") in order to understand the internal logic of the code and devise countermeasures. This paper discusses a generic approach for deobfuscation of obfuscated executable code. Our approach does not make any assumptions about the nature of the obfuscations used, but instead uses semantics-preserving program transformations to simplify away obfuscation code. We have applied a prototype implementation of our ideas to a variety of different kinds of obfuscation, including emulation-based obfuscation, emulation-based obfuscation with runtime code unpacking, and return-oriented programming. Our experimental results are encouraging and suggest that this approach can be effective in extracting the internal logic from code obfuscated using a variety of obfuscation techniques, including tools such as Themida that previous approaches could not handle.
ISSN:1081-6011
DOI:10.1109/SP.2015.47