Skip to main content
SpringerLink
Log in

Building Deobfuscated Applications from Polymorphic Binaries

  • Conference paper
  • First Online:
Innovative Security Solutions for Information Technology and Communications (SecITC 2021)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13195))

  • 279 Accesses

Abstract

Along with the rise of the cyber threats industry, attackers have become more fluent in developing and integrating various obfuscation layers. This is mainly focused on impeding or at least slowing the analysis and the reverse engineering process, both manually and automatically, such that their threats will have more time to do damage. Our contribution comes two-fold: we propose a semi-formal description to reason with a certain class of obfuscators, while also presenting a concrete implementation proving our deobfuscation mechanisms. Our results are based on a set of case studies of both common threats and legitimate software, running on Windows operating systems. We evaluate our results comparing with PINDemonium, a tool built on top of PIN dynamic binary instrumentation tool. Our solution CFGDump attempts to brute-force and hash inter-procedural control flow graphs, opening the doors to future optimisations and possible other features.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Given our context of mid-level polymorphism.

  2. 2.

    https://github.com/chesvectain/PackingData.git.

  3. 3.

    https://hex-rays.com/ida-pro/.

  4. 4.

    http://www.hiew.ru/.

  5. 5.

    https://github.com/mtivadar/qiew.

  6. 6.

    https://www.virustotal.com/.

References

  1. Scylla. github.com/NtQuery/Scylla

  2. Alrzini, J.R.S., Pennington, D.: A review of polymorphic malware detection techniques. Int. J. Adv. Res. Eng. Technol. 11(12), 1238–1247 (2020)

    Google Scholar 

  3. Bergenholtz, E., Casalicchio, E., Ilie, D., Moss, A.: Detection of metamorphic malware packers using multilayered LSTM networks. In: Meng, W., Gollmann, D., Jensen, C.D., Zhou, J. (eds.) ICICS 2020. LNCS, vol. 12282, pp. 36–53. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-61078-4_3

    Chapter  Google Scholar 

  4. Choi, M.J., Bang, J., Kim, J., Kim, H., Moon, Y.S.: All-in-one framework for detection, unpacking, and verification for malware analysis. Secur. Commun. Netw. 2019, 5278137 (2019). https://doi.org/10.1155/2019/5278137. https://www.hindawi.com/journals/scn/2019/5278137/. Hindawi

  5. Coogan, K., Debray, S., Kaochar, T., Townsend, G.: Automatic static unpacking of malware binaries. In: 2009 16th Working Conference on Reverse Engineering, pp. 167–176. IEEE (2009)

    Google Scholar 

  6. D’Alessio, S., Mariani, S.: PinDemonium: a DBI-based generic unpacker for windows executables (2016)

    Google Scholar 

  7. Dalla Preda, M.: Code obfuscation and malware detection by abstract interpretation. PhD diss (2007). https://profs.sci.univr.it/dallapre/MilaDallaPreda_PhD.pdf

  8. Yadegari, B., Johannesmeyer, B., Whitely, B., Debray, S.: A generic approach to automatic deobfuscation of executable code. In: Proceedings of IEEE Symposium on Security and Privacy, pp. 674–691 (2015)

    Google Scholar 

  9. D’Elia, D.C., Coppa, E., Nicchi, S., Palmaro, F., Cavallaro, L.: Sok: using dynamic binary instrumentation for security (and how you may get caught red handed). In: Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security, pp. 15–27 (2019)

    Google Scholar 

  10. Dolan-Gavitt, B., Hodosh, J., Hulin, P., Leek, T., Whelan, R.: Repeatable reverse engineering with panda. In: Proceedings of the 5th Program Protection and Reverse Engineering Workshop, pp. 1–11 (2015)

    Google Scholar 

  11. Farley, R., Wang, X.: CodeXt: automatic extraction of obfuscated attack code from memory dump. In: Chow, S.S.M., Camenisch, J., Hui, L.C.K., Yiu, S.M. (eds.) ISC 2014. LNCS, vol. 8783, pp. 502–514. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-13257-0_32

    Chapter  Google Scholar 

  12. Saïdi, H., Porras, P., Yegneswaran, V.: Experiences in malware binary deobfuscation (2010)

    Google Scholar 

  13. Hron, M., Jermář, J.: Safemachine malware needs love, too. Virus Bulletin (2014). https://www.virusbulletin.com/uploads/pdf/conference_slides/2014/sponsorAVAST-VB2014.pdf

  14. I. You, K.Y.: Malware obfuscation techniques: a brief survey. In: Proceedings of the 2010 International Conference on Broadband, Wireless Computing, Communication and Applications, pp. 297–300 (2010)

    Google Scholar 

  15. Marion, J.Y., Reynaud, D.: Dynamic binary instrumentation for deobfuscation and unpacking (2009)

    Google Scholar 

  16. Lee, Y.B., Suk, J.H., Lee, D.H.: Bypassing anti-analysis of commercial protector methods using DBI tools. IEEE Access 9, 7655–7673 (2021)

    Article  Google Scholar 

  17. Lim, C., Kotualubun, Y.S., Ramli, K., et al.: Mal-Xtract: hidden code extraction using memory analysis. In: Journal of Physics: Conference Series, vol. 801, p. 012058. IOP Publishing (2017)

    Google Scholar 

  18. Lim, C., Ramli, K., Kotualubun, Y.S., et al.: Mal-flux: rendering hidden code of packed binary executable. Digit. Investig. 28, 83–95 (2019)

    Article  Google Scholar 

  19. Luk, C.K., et al.: Pin: building customized program analysis tools with dynamic instrumentation. Acm Sigplan Notices 40(6), 190–200 (2005)

    Article  Google Scholar 

  20. Campion, M.: Mila Dalla Preda, R.G.: Learning metamorphic malware signatures from samples (2021)

    Google Scholar 

  21. Naidu, V.J.: Identifying polymorphic malware variants using biosequence analysis techniques. Ph.D. thesis, Auckland University of Technology (2018)

    Google Scholar 

  22. Naval, S., Laxmi, V., Gaur, M.S., et al.: An efficient block-discriminant identification of packed malware. Sadhana 40(5), 1435–1456 (2015)

    Article  Google Scholar 

  23. Oreans. www.oreans.com/themida.php

  24. Pasha, M.M.R., Prathima, M.Y., Thirupati, L.: Malwise Syst. Packed Polymorphic Malware 3, 167–172 (2014)

    Google Scholar 

  25. Plumerault, F., David, B.: Dbi, debuggers, vm: gotta catch them all. J. Comput. Virol. Hacking Tech. 17(2), 105–117 (2021)

    Article  Google Scholar 

  26. Royal, P., Halpin, M., Dagon, D., Edmonds, R., Lee, W.: PolyUnpack: automating the hidden-code extraction of unpack-executing malware. In: 2006 22nd Annual Computer Security Applications Conference (ACSAC 2006), pp. 289–300. IEEE (2006)

    Google Scholar 

  27. Udupa, S.K., Debray, S.K., Madou, M.: Deobfuscation: reverse engineering obfuscated code. In: Proceedings of the 12th IEEE Working Conference on Reverse Engineering (WCRE 2005) (2005)

    Google Scholar 

  28. Shirazi, M.T.: Analysis of obfuscation transformations on binary code. Ph.D. thesis, Université Grenoble Alpes (2019)

    Google Scholar 

  29. Suk, J.H., Lee, J.Y., Jin, H., Kim, I.S., Lee, D.H.: UnThemida: commercial obfuscation technique analysis with a fully obfuscated program (2018)

    Google Scholar 

  30. Thilagavathi, A., Elumalai, M.: Proficient classification of packed and polymorphic malware using malwise

    Google Scholar 

  31. Ugarte-Pedrero, X., Balzarotti, D., Santos, I., Bringas, P.G.: SoK: deep packer inspection: a longitudinal study of the complexity of run-time packers. In: 2015 IEEE Symposium on Security and Privacy, pp. 659–673. IEEE (2015)

    Google Scholar 

  32. V. Craciun, A. Nacu, M.A.: It’s a file infector... it’s ransomware... it’s virlock (2015)

    Google Scholar 

  33. Guillot, Y., Gazet, A.: Automatic binary deobfuscation (2010)

    Google Scholar 

  34. Yason, M.V.: The art of unpacking (2007)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science, “Alexandru Ioan Cuza” University of IAŞI, Iaşi, Romania

    Vlad Constantin Crăciun & Andrei-Cătălin Mogage

  2. Bitdefender, Bucharest, Romania

    Vlad Constantin Crăciun & Andrei-Cătălin Mogage

Authors
  1. Vlad Constantin Crăciun
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Andrei-Cătălin Mogage
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding authors

Correspondence to Vlad Constantin Crăciun or Andrei-Cătălin Mogage .

Editor information

Editors and Affiliations

  1. University of Luxembourg, Esch-sur-Alzette, Luxembourg

    Peter Y.A. Ryan

  2. Bucharest University of Economic Studies, Bucharest, Romania

    Cristian Toma

Rights and permissions

Reprints and permissions

Copyright information

© 2022 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Crăciun, V.C., Mogage, AC. (2022). Building Deobfuscated Applications from Polymorphic Binaries. In: Ryan, P.Y., Toma, C. (eds) Innovative Security Solutions for Information Technology and Communications. SecITC 2021. Lecture Notes in Computer Science, vol 13195. Springer, Cham. https://doi.org/10.1007/978-3-031-17510-7_21

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-17510-7_21

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-17509-1

  • Online ISBN: 978-3-031-17510-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation