A Generic Approach to Automatic Deobfuscation of Executable Code

Malicious software are usually obfuscated to avoid detection and resist analysis. When new malware is encountered, such obfuscations have to be penetrated or removed ("deobfuscated") in order to understand the internal logic of the code and devise countermeasures. This paper discusses a ge...

Full description

Saved in:
Bibliographic Details
Published in2015 IEEE Symposium on Security and Privacy pp. 674 - 691
Main Authors Yadegari, Babak, Johannesmeyer, Brian, Whitely, Ben, Debray, Saumya
Format Conference Proceeding
LanguageEnglish
Published IEEE 01.05.2015
Subjects
Algorithm design and analysis
Deobfuscation
IP networks
Libraries
Programming
Return Oriented Programming
Reverse engineering
Security
Semantics
Virtualization-Obfuscation
Online AccessGet full text
ISSN1081-6011
DOI10.1109/SP.2015.47

Cover

More Information
Summary:Malicious software are usually obfuscated to avoid detection and resist analysis. When new malware is encountered, such obfuscations have to be penetrated or removed ("deobfuscated") in order to understand the internal logic of the code and devise countermeasures. This paper discusses a generic approach for deobfuscation of obfuscated executable code. Our approach does not make any assumptions about the nature of the obfuscations used, but instead uses semantics-preserving program transformations to simplify away obfuscation code. We have applied a prototype implementation of our ideas to a variety of different kinds of obfuscation, including emulation-based obfuscation, emulation-based obfuscation with runtime code unpacking, and return-oriented programming. Our experimental results are encouraging and suggest that this approach can be effective in extracting the internal logic from code obfuscated using a variety of obfuscation techniques, including tools such as Themida that previous approaches could not handle.
ISSN:1081-6011
DOI:10.1109/SP.2015.47