Abstract
Along with the rise of the cyber threats industry, attackers have become more fluent in developing and integrating various obfuscation layers. This is mainly focused on impeding or at least slowing the analysis and the reverse engineering process, both manually and automatically, such that their threats will have more time to do damage. Our contribution comes two-fold: we propose a semi-formal description to reason with a certain class of obfuscators, while also presenting a concrete implementation proving our deobfuscation mechanisms. Our results are based on a set of case studies of both common threats and legitimate software, running on Windows operating systems. We evaluate our results comparing with PINDemonium, a tool built on top of PIN dynamic binary instrumentation tool. Our solution CFGDump attempts to brute-force and hash inter-procedural control flow graphs, opening the doors to future optimisations and possible other features.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Given our context of mid-level polymorphism.
- 2.
- 3.
- 4.
- 5.
- 6.
References
Scylla. github.com/NtQuery/Scylla
Alrzini, J.R.S., Pennington, D.: A review of polymorphic malware detection techniques. Int. J. Adv. Res. Eng. Technol. 11(12), 1238–1247 (2020)
Bergenholtz, E., Casalicchio, E., Ilie, D., Moss, A.: Detection of metamorphic malware packers using multilayered LSTM networks. In: Meng, W., Gollmann, D., Jensen, C.D., Zhou, J. (eds.) ICICS 2020. LNCS, vol. 12282, pp. 36–53. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-61078-4_3
Choi, M.J., Bang, J., Kim, J., Kim, H., Moon, Y.S.: All-in-one framework for detection, unpacking, and verification for malware analysis. Secur. Commun. Netw. 2019, 5278137 (2019). https://doi.org/10.1155/2019/5278137. https://www.hindawi.com/journals/scn/2019/5278137/. Hindawi
Coogan, K., Debray, S., Kaochar, T., Townsend, G.: Automatic static unpacking of malware binaries. In: 2009 16th Working Conference on Reverse Engineering, pp. 167–176. IEEE (2009)
D’Alessio, S., Mariani, S.: PinDemonium: a DBI-based generic unpacker for windows executables (2016)
Dalla Preda, M.: Code obfuscation and malware detection by abstract interpretation. PhD diss (2007). https://profs.sci.univr.it/dallapre/MilaDallaPreda_PhD.pdf
Yadegari, B., Johannesmeyer, B., Whitely, B., Debray, S.: A generic approach to automatic deobfuscation of executable code. In: Proceedings of IEEE Symposium on Security and Privacy, pp. 674–691 (2015)
D’Elia, D.C., Coppa, E., Nicchi, S., Palmaro, F., Cavallaro, L.: Sok: using dynamic binary instrumentation for security (and how you may get caught red handed). In: Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security, pp. 15–27 (2019)
Dolan-Gavitt, B., Hodosh, J., Hulin, P., Leek, T., Whelan, R.: Repeatable reverse engineering with panda. In: Proceedings of the 5th Program Protection and Reverse Engineering Workshop, pp. 1–11 (2015)
Farley, R., Wang, X.: CodeXt: automatic extraction of obfuscated attack code from memory dump. In: Chow, S.S.M., Camenisch, J., Hui, L.C.K., Yiu, S.M. (eds.) ISC 2014. LNCS, vol. 8783, pp. 502–514. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-13257-0_32
Saïdi, H., Porras, P., Yegneswaran, V.: Experiences in malware binary deobfuscation (2010)
Hron, M., Jermář, J.: Safemachine malware needs love, too. Virus Bulletin (2014). https://www.virusbulletin.com/uploads/pdf/conference_slides/2014/sponsorAVAST-VB2014.pdf
I. You, K.Y.: Malware obfuscation techniques: a brief survey. In: Proceedings of the 2010 International Conference on Broadband, Wireless Computing, Communication and Applications, pp. 297–300 (2010)
Marion, J.Y., Reynaud, D.: Dynamic binary instrumentation for deobfuscation and unpacking (2009)
Lee, Y.B., Suk, J.H., Lee, D.H.: Bypassing anti-analysis of commercial protector methods using DBI tools. IEEE Access 9, 7655–7673 (2021)
Lim, C., Kotualubun, Y.S., Ramli, K., et al.: Mal-Xtract: hidden code extraction using memory analysis. In: Journal of Physics: Conference Series, vol. 801, p. 012058. IOP Publishing (2017)
Lim, C., Ramli, K., Kotualubun, Y.S., et al.: Mal-flux: rendering hidden code of packed binary executable. Digit. Investig. 28, 83–95 (2019)
Luk, C.K., et al.: Pin: building customized program analysis tools with dynamic instrumentation. Acm Sigplan Notices 40(6), 190–200 (2005)
Campion, M.: Mila Dalla Preda, R.G.: Learning metamorphic malware signatures from samples (2021)
Naidu, V.J.: Identifying polymorphic malware variants using biosequence analysis techniques. Ph.D. thesis, Auckland University of Technology (2018)
Naval, S., Laxmi, V., Gaur, M.S., et al.: An efficient block-discriminant identification of packed malware. Sadhana 40(5), 1435–1456 (2015)
Oreans. www.oreans.com/themida.php
Pasha, M.M.R., Prathima, M.Y., Thirupati, L.: Malwise Syst. Packed Polymorphic Malware 3, 167–172 (2014)
Plumerault, F., David, B.: Dbi, debuggers, vm: gotta catch them all. J. Comput. Virol. Hacking Tech. 17(2), 105–117 (2021)
Royal, P., Halpin, M., Dagon, D., Edmonds, R., Lee, W.: PolyUnpack: automating the hidden-code extraction of unpack-executing malware. In: 2006 22nd Annual Computer Security Applications Conference (ACSAC 2006), pp. 289–300. IEEE (2006)
Udupa, S.K., Debray, S.K., Madou, M.: Deobfuscation: reverse engineering obfuscated code. In: Proceedings of the 12th IEEE Working Conference on Reverse Engineering (WCRE 2005) (2005)
Shirazi, M.T.: Analysis of obfuscation transformations on binary code. Ph.D. thesis, Université Grenoble Alpes (2019)
Suk, J.H., Lee, J.Y., Jin, H., Kim, I.S., Lee, D.H.: UnThemida: commercial obfuscation technique analysis with a fully obfuscated program (2018)
Thilagavathi, A., Elumalai, M.: Proficient classification of packed and polymorphic malware using malwise
Ugarte-Pedrero, X., Balzarotti, D., Santos, I., Bringas, P.G.: SoK: deep packer inspection: a longitudinal study of the complexity of run-time packers. In: 2015 IEEE Symposium on Security and Privacy, pp. 659–673. IEEE (2015)
V. Craciun, A. Nacu, M.A.: It’s a file infector... it’s ransomware... it’s virlock (2015)
Guillot, Y., Gazet, A.: Automatic binary deobfuscation (2010)
Yason, M.V.: The art of unpacking (2007)
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 Springer Nature Switzerland AG
About this paper
Cite this paper
Crăciun, V.C., Mogage, AC. (2022). Building Deobfuscated Applications from Polymorphic Binaries. In: Ryan, P.Y., Toma, C. (eds) Innovative Security Solutions for Information Technology and Communications. SecITC 2021. Lecture Notes in Computer Science, vol 13195. Springer, Cham. https://doi.org/10.1007/978-3-031-17510-7_21
Download citation
DOI: https://doi.org/10.1007/978-3-031-17510-7_21
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-17509-1
Online ISBN: 978-3-031-17510-7
eBook Packages: Computer ScienceComputer Science (R0)