A Generic Approach to Automatic Deobfuscation of Executable Code
Malicious software are usually obfuscated to avoid detection and resist analysis. When new malware is encountered, such obfuscations have to be penetrated or removed ("deobfuscated") in order to understand the internal logic of the code and devise countermeasures. This paper discusses a ge...
Gespeichert in:
| Veröffentlicht in: | Proceedings - IEEE Symposium on Security and Privacy S. 674 - 691 |
|---|---|
| Hauptverfasser: | , , , |
| Format: | Tagungsbericht |
| Sprache: | Englisch |
| Veröffentlicht: |
IEEE
01.05.2015
|
| Schlagworte: | |
| ISSN: | 1081-6011 |
| Online-Zugang: | Volltext |
| Tags: |
Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
|
| Abstract | Malicious software are usually obfuscated to avoid detection and resist analysis. When new malware is encountered, such obfuscations have to be penetrated or removed ("deobfuscated") in order to understand the internal logic of the code and devise countermeasures. This paper discusses a generic approach for deobfuscation of obfuscated executable code. Our approach does not make any assumptions about the nature of the obfuscations used, but instead uses semantics-preserving program transformations to simplify away obfuscation code. We have applied a prototype implementation of our ideas to a variety of different kinds of obfuscation, including emulation-based obfuscation, emulation-based obfuscation with runtime code unpacking, and return-oriented programming. Our experimental results are encouraging and suggest that this approach can be effective in extracting the internal logic from code obfuscated using a variety of obfuscation techniques, including tools such as Themida that previous approaches could not handle. |
|---|---|
| AbstractList | Malicious software are usually obfuscated to avoid detection and resist analysis. When new malware is encountered, such obfuscations have to be penetrated or removed ("deobfuscated") in order to understand the internal logic of the code and devise countermeasures. This paper discusses a generic approach for deobfuscation of obfuscated executable code. Our approach does not make any assumptions about the nature of the obfuscations used, but instead uses semantics-preserving program transformations to simplify away obfuscation code. We have applied a prototype implementation of our ideas to a variety of different kinds of obfuscation, including emulation-based obfuscation, emulation-based obfuscation with runtime code unpacking, and return-oriented programming. Our experimental results are encouraging and suggest that this approach can be effective in extracting the internal logic from code obfuscated using a variety of obfuscation techniques, including tools such as Themida that previous approaches could not handle. |
| Author | Yadegari, Babak Debray, Saumya Johannesmeyer, Brian Whitely, Ben |
| Author_xml | – sequence: 1 givenname: Babak surname: Yadegari fullname: Yadegari, Babak email: babaky@cs.arizona.edu organization: Dept. of Comput. Sci., Univ. of Arizona, Tucson, AZ, USA – sequence: 2 givenname: Brian surname: Johannesmeyer fullname: Johannesmeyer, Brian email: bjohannesmeyer@cs.arizona.edu organization: Dept. of Comput. Sci., Univ. of Arizona, Tucson, AZ, USA – sequence: 3 givenname: Ben surname: Whitely fullname: Whitely, Ben email: whitely@cs.arizona.edu organization: Dept. of Comput. Sci., Univ. of Arizona, Tucson, AZ, USA – sequence: 4 givenname: Saumya surname: Debray fullname: Debray, Saumya email: debray@cs.arizona.edu organization: Dept. of Comput. Sci., Univ. of Arizona, Tucson, AZ, USA |
| BookMark | eNotjMtKw0AUQEeoYFPduHUzP5B4b-a9M9S2CgUFdV0mmTsYaTMhD9C_t6CrwzmLk7FFlzpi7BahQAR3__ZalICqkOaCZSi1EdpJZxZsiWAx14B4xbJx_AIoQTi5ZA8V31FHQ9vwqu-H5JtPPiVezVM6-elcHynVcR6bs6SOp8g339TMk6-PxNcp0DW7jP440s0_V-xju3lfP-X7l93zutrnrUCYcluSDEKCVtEINAqMs8Y2LqDXllBYF3QgS2XUZAxoSSoKJaMOVtemjGLF7v6-LREd-qE9-eHnYFALUFL8Ap_fR4A |
| CODEN | IEEPAD |
| ContentType | Conference Proceeding |
| DBID | 6IE 6IH CBEJK RIE RIO |
| DOI | 10.1109/SP.2015.47 |
| DatabaseName | IEEE Electronic Library (IEL) Conference Proceedings IEEE Proceedings Order Plan (POP) 1998-present by volume IEEE Xplore All Conference Proceedings IEEE Electronic Library (IEL) IEEE Proceedings Order Plans (POP) 1998-present |
| DatabaseTitleList | |
| Database_xml | – sequence: 1 dbid: RIE name: IEEE Electronic Library (IEL) url: https://ieeexplore.ieee.org/ sourceTypes: Publisher |
| DeliveryMethod | fulltext_linktorsrc |
| Discipline | Computer Science |
| EISBN | 1467369497 9781467369497 |
| EndPage | 691 |
| ExternalDocumentID | 7163054 |
| Genre | orig-research |
| GroupedDBID | 23M 29O 6IE 6IF 6IH 6IL 6IN AAJGR AAWTH ABLEC ACGFS ADZIZ ALMA_UNASSIGNED_HOLDINGS BEFXN BFFAM BGNUA BKEBE BPEOZ CBEJK CHZPO IEGSK IJVOP M43 OCL RIE RIL RIO RNS |
| ID | FETCH-LOGICAL-i310t-82e4d34065f73175079878c9d1a68e1389d6de8e2f6e77064e5f354f6d86b72f3 |
| IEDL.DBID | RIE |
| ISICitedReferencesCount | 117 |
| ISICitedReferencesURI | http://www.webofscience.com/api/gateway?GWVersion=2&SrcApp=Summon&SrcAuth=ProQuest&DestLinkType=CitingArticles&DestApp=WOS_CPL&KeyUT=000380537900040&url=https%3A%2F%2Fcvtisr.summon.serialssolutions.com%2F%23%21%2Fsearch%3Fho%3Df%26include.ft.matches%3Dt%26l%3Dnull%26q%3D |
| ISSN | 1081-6011 |
| IngestDate | Wed Aug 27 02:47:07 EDT 2025 |
| IsDoiOpenAccess | false |
| IsOpenAccess | true |
| IsPeerReviewed | false |
| IsScholarly | true |
| Language | English |
| LinkModel | DirectLink |
| MergedId | FETCHMERGED-LOGICAL-i310t-82e4d34065f73175079878c9d1a68e1389d6de8e2f6e77064e5f354f6d86b72f3 |
| OpenAccessLink | https://ieeexplore.ieee.org/ielx7/7160813/7163005/07163054.pdf |
| PageCount | 18 |
| ParticipantIDs | ieee_primary_7163054 |
| PublicationCentury | 2000 |
| PublicationDate | 20150501 |
| PublicationDateYYYYMMDD | 2015-05-01 |
| PublicationDate_xml | – month: 05 year: 2015 text: 20150501 day: 01 |
| PublicationDecade | 2010 |
| PublicationTitle | Proceedings - IEEE Symposium on Security and Privacy |
| PublicationTitleAbbrev | SP |
| PublicationYear | 2015 |
| Publisher | IEEE |
| Publisher_xml | – name: IEEE |
| SSID | ssj0020394 ssib026764953 |
| Score | 2.3958182 |
| Snippet | Malicious software are usually obfuscated to avoid detection and resist analysis. When new malware is encountered, such obfuscations have to be penetrated or... |
| SourceID | ieee |
| SourceType | Publisher |
| StartPage | 674 |
| SubjectTerms | Algorithm design and analysis Deobfuscation IP networks Libraries Programming Return Oriented Programming Reverse engineering Security Semantics Virtualization-Obfuscation |
| Title | A Generic Approach to Automatic Deobfuscation of Executable Code |
| URI | https://ieeexplore.ieee.org/document/7163054 |
| WOSCitedRecordID | wos000380537900040&url=https%3A%2F%2Fcvtisr.summon.serialssolutions.com%2F%23%21%2Fsearch%3Fho%3Df%26include.ft.matches%3Dt%26l%3Dnull%26q%3D |
| hasFullText | 1 |
| inHoldings | 1 |
| isFullTextHit | |
| isPrint | |
| link | http://cvtisr.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwlV1NSwMxEB1a8eCpait-k4NH0272I8neLLXFg5SCCt5KNplAL11pd8Wfb5LdVhAv3kJOYWbCvGTmvQG4S5nyXNmCOvCgaMqVphIjQZU1ylpZRNh4-lnM5_L9PV904H7PhUHE0HyGQ78MtXxT6tp_lY0ctnfhmXahKwRvuFq72Im54GmoCLWPrSgJQxCZS3nUPTpYK03Konz0svAtXdnw10iVkFFmvf-d5RgGP9Q8stgnnRPo4PoUervZDKS9qn14GJOgKL3SZNzKhpOqJOO6KoNIK3nEsrD1tvmxI6Ul0y_UdeWZVGRSGhzA22z6Onmi7bQEunIQraIyxtQkLj9nVnhQEIlcCqlzwxSX6OuRhhuUGFuOQjgkgplNstRyI3khYpucwcG6XOM5ECuESDTqQnFMJbOKMSMziQIzFek8voC-N8jyoxHEWLa2uPx7-wqOvLmbLsFrOKg2Nd7Aof6sVtvNbfDiNzT_mqo |
| linkProvider | IEEE |
| linkToHtml | http://cvtisr.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwlV1NTwIxEG0QTfSECsZve_BoYbsfbfcmQQhGJCRiwo1022nChTWwa_z5tmXBxHjx1vTUTNvMa2feewjdx1Q6rmxGLHiQJGZSEQEBJ9JoaYzIAtjs9IiPx2I2Syc19LDjwgCAbz6Dthv6Wr7OVem-yjoW29vjGe-hfeecVbG1tqcnZJzFviZUPbeCyNsgUpv0iH120EqclAZp523imrqS9i9TFZ9TBo3_reYYtX7IeXiySzsnqAbLU9TYujPg6rI20WMXe03phcLdSjgcFznulkXuZVrxE-SZKdebPzucG9z_AlUWjkuFe7mGFnof9Ke9Ian8EsjCgrSCiBBiHdkMnRjuYEHAU8GFSjWVTICrSGqmQUBoGHBusQgkJkpiw7RgGQ9NdIbqy3wJ5wgbznmkQGWSQSyokZRqkQjgkMhApeEFarqAzD82khjzKhaXf0_focPh9HU0Hz2PX67QkQv9pmfwGtWLVQk36EB9Fov16tbv6Dd43J3z |
| openUrl | ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=proceeding&rft.title=Proceedings+-+IEEE+Symposium+on+Security+and+Privacy&rft.atitle=A+Generic+Approach+to+Automatic+Deobfuscation+of+Executable+Code&rft.au=Yadegari%2C+Babak&rft.au=Johannesmeyer%2C+Brian&rft.au=Whitely%2C+Ben&rft.au=Debray%2C+Saumya&rft.date=2015-05-01&rft.pub=IEEE&rft.issn=1081-6011&rft.spage=674&rft.epage=691&rft_id=info:doi/10.1109%2FSP.2015.47&rft.externalDocID=7163054 |
| thumbnail_l | http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/lc.gif&issn=1081-6011&client=summon |
| thumbnail_m | http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/mc.gif&issn=1081-6011&client=summon |
| thumbnail_s | http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/sc.gif&issn=1081-6011&client=summon |