A Generic Approach to Automatic Deobfuscation of Executable Code

Malicious software are usually obfuscated to avoid detection and resist analysis. When new malware is encountered, such obfuscations have to be penetrated or removed ("deobfuscated") in order to understand the internal logic of the code and devise countermeasures. This paper discusses a ge...

Celý popis

Uložené v:
Podrobná bibliografia
Vydané v:Proceedings - IEEE Symposium on Security and Privacy s. 674 - 691
Hlavní autori: Yadegari, Babak, Johannesmeyer, Brian, Whitely, Ben, Debray, Saumya
Médium: Konferenčný príspevok..
Jazyk:English
Vydavateľské údaje: IEEE 01.05.2015
Predmet:
Algorithm design and analysis
Deobfuscation
IP networks
Libraries
Programming
Return Oriented Programming
Reverse engineering
Security
Semantics
Virtualization-Obfuscation
ISSN:1081-6011
On-line prístup:Získať plný text
Tagy: Pridať tag
Žiadne tagy, Buďte prvý, kto otaguje tento záznam!
Popis
Shrnutí:Malicious software are usually obfuscated to avoid detection and resist analysis. When new malware is encountered, such obfuscations have to be penetrated or removed ("deobfuscated") in order to understand the internal logic of the code and devise countermeasures. This paper discusses a generic approach for deobfuscation of obfuscated executable code. Our approach does not make any assumptions about the nature of the obfuscations used, but instead uses semantics-preserving program transformations to simplify away obfuscation code. We have applied a prototype implementation of our ideas to a variety of different kinds of obfuscation, including emulation-based obfuscation, emulation-based obfuscation with runtime code unpacking, and return-oriented programming. Our experimental results are encouraging and suggest that this approach can be effective in extracting the internal logic from code obfuscated using a variety of obfuscation techniques, including tools such as Themida that previous approaches could not handle.
ISSN:1081-6011
DOI:10.1109/SP.2015.47