Skip to main content
SpringerLink
Log in

Hybrid emulation for bypassing anti-reversing techniques and analyzing malware

  • Published:
The Journal of Supercomputing Aims and scope Submit manuscript

Abstract

Malware uses a variety of anti-reverse engineering techniques, which makes its analysis difficult. Dynamic analysis tools, e.g., debuggers, DBI (Dynamic Binary Instrumentation), and CPU emulators, do not provide both accuracy and convenience when analyzing complex malware, which utilizes diverse anti-reversing techniques. Debuggers are convenient, but are easily detected by anti-debugging techniques. DBI tools are better for bypassing anti-reversing techniques than debuggers, but cannot execute complex programs correctly. Emulators are not designed for precise malware analysis. To address the problem fundamentally, we developed a new approach completely different from the previous works. We present a new dynamic analysis scheme for malware, which includes automatic detection and evasion of various anti-reversing techniques. This approach combines a CPU simulator and actual code execution, i.e., machine instructions are simulated with the CPU simulator, whereas API functions are directly executed when they are called. In this method, the CPU simulator can precisely execute code without modifying the code chunks for trampolines. Moreover, our method takes advantage of the OS functionalities, including thread management or interrupt handling. We conducted experiments on 16 widely used protectors, which show that our method outperforms conventional tools: Pin, DynamoRIO, Apate, and OllyAdvanced. Our scheme can unpack 15 protectors and bypass the anti-debugging techniques associated with them.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9

Similar content being viewed by others

References

  1. Orleans Technology (2014) Themida: advanced windows software protection system. https://www.oreans.com/themida.php. Accessed 19 Aug 2019

  2. Enigma Protector Developer (2019) The enigma protector: a professional system for licensing and protecting executable files for Windows. https://enigmaprotector.com/en/home.html. Accessed 19 Aug 2019

  3. Bellard F (2005) QEMU, a fast and portable dynamic translator. In: Proceedings of 2005 USENIX Annual Technical Conference

  4. Mishchenko D (2011) Introduction to VMware ESXi 4.1. In: Mishchenko D (ed) VMware ESXi: Planning, Implementation, Security, Course Technology, 1st edn, Course Technology, pp 1–23

  5. Luk C, Chon R, Muth R, Patil H, Klauser A, Lowney G, Wallace S, Raddi VJ, Hazelwood K (2005) Pin: building customized program analysis tools with dynamic instrumentation. In: Proceedings of the 2005 ACM SIGPLAN Conference on PLDI, pp 190–200

  6. Lawton KP (1996) A portable PC emulator for Unix/X, Linux journal, vol 1996, Issue 29es

  7. Tully J (2008) Introduction to windows anti-debugging. https://www.codeproject.com/Articles/29469/Introduction-Into-Windows-Anti-Debugging/. Accessed 19 Aug 2019

  8. Ferrie P (2011) The ultimate anti-debugging reference. https://www.anti-reversing.com/the-ultimate-anti-debugging-reference/. Accessed 19 Aug 2019

  9. Tyler Shields T (2011) Anti-debugging—a developers view, Veracode Inc, USA. https://www.secnews.pl/wp-content/uploads/2011/05/whitepaper_antidebugging.pdf. Accessed 19 Aug 2019

  10. VMSoft (2018) VMProtect software: VMProtect virtualizes code, https://vmpsoft.com/products/vmprotect/. Accessed 19 Aug 2019

  11. Garnett T (2003) Dynamic optimization of IA-32 application under DynamoRIO, Master’s degree Thesis, MIT

  12. OllyAdvanced (2013) OllyAdvanced—OllyDbg plugin for a number of advancements and anti-debug features. https://www.aldeid.com/wiki/OllyDbg/OllyAdvanced. Accessed 19 Aug 2019

  13. Shi H, Mirkovic J (2017) Hiding debuggers from malware with apate. In: Proceedings of the Symposium on Applied Computing, pp 1703–1710

  14. Bardin S, David R, Marion JY (2017) Backward-bounded DSE: targeting infeasibility questions on obfuscated codes. In: Proceedings of 2017 IEEE Symposium on Security and Privacy, pp 633–651

  15. Blazytko T, Contag M, Aschermann M, Holz T (2017) Syntia: synthesizing the semantics of obfuscated code. In: Proceedings of USENIX Security Symposium 2017, pp 643–659

  16. Chen P, Huygens C, Desmet L, Joosen W (2016) Advanced or not? A comparative study of the use of anti-debugging and anti-VM techniques in generic and targeted malware. In: Proceedings of IFIP International Conference on ICT Systems Security and Privacy Protection, IFIPAICT, vol 471, pp 323–336

  17. Kirsch J, Zhechev Z, Bierbaumer B, Kittel T (2018) PwIN – Pwning Intel piN: why DBI is unsuitable for security applications. In: Proceedings of ESORICS ’18, LNCS, vol 11098, pp 363–392

  18. Barham P, Dragovic B, Fraser K, Hand S, Harris T, Ho A, Neugebauer R, Pratt I, Warfield A (2003) Xen and the art of virtualization. In: Proceedings of SOSP’03, pp 164–177

  19. Miller C, Glendowne D, Cook H, Thomas D, Lanclos C, Pape P (2017) Insights gained from constructing a large-scale dynamic analysis platform. Digit Investig 22(Supplement):S38–S56

    Google Scholar 

  20. Polino M, Continella A, Mariani S, D’Alessio S, Fontana L, Gritti F, Zanero S (2017) Measuring and defeating anti-instrumentation-equipped malware. In: Proceedings of DIMVA’2017, vol 10327. LNCS, pp 73–96

  21. OllyDbg (2014) OllyDbg v1.10: 32-bit assembler level analyzing debugger for Microsoft Windows. https://www.ollydbg.de/. Accessed 19 Aug 2019

  22. Kim G-M, Park J, Jang Y-H, Park Y (2019) Efficient automatic original entry point detection. J Inf Sci Eng 35(4):887–902

    Google Scholar 

  23. Nethercote N, Seward J (2007) Valgrind: a framework for heavyweight dynamic binary instrumentation. In: Proceedings of PLDI’07, pp 89–100

  24. Hunt G, Brubacher D (1999) Detours: binary interception of Win32 functions. In: Proceedings of the 3rd USENIX Windows NT Symposium

  25. Lim C, Ramli K (2014) Mal-ONE: a unified framework for fast and efficient malware detection. In: Proceedings of the 2nd International Conference on Technology, Informatics, Management, Engineering &Environment

  26. Yoshizaki K, Yamauchi T (2014) Malware detection method focusing on anti-debugging functions. In: Proceedings of the Second International Symposium on Computing and Networking (CANDAR), pp 563–566

  27. Zeng J, Fu Y, Lin Z (2015) PEMU: a pin highly compatible out-of-VM dynamic binary instrumentation framework. In: Proceedings of the 11 ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments, pp 147–160

  28. Dunaev D, Charaf H, Lengyel L (2013) A method of machine code translation to intermediate representation. In: Proceedings of 2013 IEEE 4th International Conference on Cognitive Infocommunications (CogInfoCom)

  29. Hex-rays (2015) IDA Pro: multi-processor disassembler and debugger. https://www.hex-rays.com/products/ida/index.shtml. Accessed 19 Aug 2019

  30. Solomon DA, Russinovich ME, Ionescu A (2009) Windows Internal, Fifth Edition, Microsoft Press

  31. Kang MG, Poosankam P, Yin H (2007) Renovo: a hidden code extractor for packed executables. In: Proceedings of WORM’07, Alexandria, Virginia, USA, 2007, pp 46–54

  32. Safengine (2017) Safengine protector. https://www.safengine.com/en-us/. Accessed 19 Aug 2019

Download references

Acknowledgments

This research was supported by Basic Science Research Program through the National Research Foundation of Korea (NRF) funded by the Ministry of Education (2017R1D1A1B03029550).

Author information

Author notes

    Authors and Affiliations

    1. The Affiliated Institute of ETRI, P.O. Box 1, Yuseong, Daejeon, 305-600, Republic of Korea

      Seokwoo Choi & Taejoo Chang

    2. Department of Computer Science, Hanyang University, Wangshimriro 222, Seoul, 04763, Republic of Korea

      Sung-woo Yoon & Yongsu Park

    Authors
    1. Seokwoo Choi
      View author publications

      You can also search for this author in PubMed Google Scholar

    2. Taejoo Chang
      View author publications

      You can also search for this author in PubMed Google Scholar

    3. Sung-woo Yoon
      View author publications

      You can also search for this author in PubMed Google Scholar

    4. Yongsu Park
      View author publications

      You can also search for this author in PubMed Google Scholar

    Corresponding author

    Correspondence to Yongsu Park.

    Additional information

    Publisher's Note

    Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

    Seokwoo Choi and Taejoo Chang have contributed equally to this work.

    Rights and permissions

    Reprints and permissions

    About this article

    Check for updates. Verify currency and authenticity via CrossMark

    Cite this article

    Choi, S., Chang, T., Yoon, Sw. et al. Hybrid emulation for bypassing anti-reversing techniques and analyzing malware. J Supercomput 77, 471–497 (2021). https://doi.org/10.1007/s11227-020-03270-6

    Download citation

    • Published:

    • Issue Date:

    • DOI: https://doi.org/10.1007/s11227-020-03270-6

    Keywords

    Search

    Navigation