• DocumentCode
    1572622
  • Title

    Static Analysis of the Disassembly against Malicious Code Obfuscated with Conditional Jumps

  • Author

    Dai, Chao ; Pang, Jianmin ; Zhao, Rongcai ; Ma, Xiaojun

  • Author_Institution
    Nat. Digital Switching Syst. Eng. & Technol. Res. Center of China, Beijing
  • fYear
    2008
  • Firstpage
    525
  • Lastpage
    530
  • Abstract
    With the application of information technology and network, malicious codes have become a main threat to the computer security. In order to avoid being analyzed statically, malicious codes resort to various obfuscation techniques to hide themselves. Conditional jumps obfuscation is just such a kind of technique. In this paper, we introduce four forms of conditional jumps obfuscation which could confuse both of the two commonly used disassembly algorithms. Their basic idea is that two elaborate constructed conditional jump instructions are semantically equivalent to one unconditional jump. We propose a modified algorithm to crack the obfuscation. And we implement our idea in our reverse analysis tool Radux (Reverse Analysis for Detecting Unsafe eXecutables). Last we compare the disassembly output of Radux with objdump and IDApro. Relevant tests show that our implementation is effective.
  • Keywords
    invasive software; program control structures; program diagnostics; computer security; conditional jump obfuscation; disassembly algorithm; malicious code; reverse analysis; static program analysis; unsafe executable detection; Application software; Computer applications; Computer networks; Computer security; Data analysis; Information analysis; Information science; Information technology; Military computing; Pattern matching; conditional jump; disassembly; malicious codes; obfuscation;
  • fLanguage
    English
  • Publisher
    ieee
  • Conference_Titel
    Computer and Information Science, 2008. ICIS 08. Seventh IEEE/ACIS International Conference on
  • Conference_Location
    Portland, OR
  • Print_ISBN
    978-0-7695-3131-1
  • Type

    conf

  • DOI
    10.1109/ICIS.2008.18
  • Filename
    4529872