An API deobfuscation method combining dynamic and static techniques

Author

Qi Xi ; Tianyang Zhou ; Qingxian Wang ; Yongjun Zeng

Author_Institution

State Key Lab. of Math. Eng. & Adv. Comput., Zhengzhou, China

fYear

2013

fDate

20-22 Dec. 2013

Firstpage

2133

Lastpage

2138

Abstract

API calls analysis is usually used for malicious behavior detection, but malware authors adopt encryption techniques to hide API information where calling them dynamically. Consequently, the decryption of internal ciphertext data in malware is now critical for malware analysis. In this paper, we proposed a novel approach to automatically resolve the encryption strings from malware. By analyzing the inherent dependencies between functions, we automatically identified decryption routine and extracted its context. To reveal the encryption API names, the proposed approach loads the malware and constructs context of decryption routine, and then forces the program calling decryption routines. The feasibility of our approach is demonstrated by implementing a prototype framework called ADSD(API Deobfuscation based on Static and Dynamic techniques).

Keywords

cryptography; invasive software; ADSD; API Deobfuscation based on Static and Dynamic techniques; API calls analysis; API deobfuscation method; API information; decryption routines; encryption API names; encryption strings; encryption techniques; internal ciphertext data decryption; malicious behavior detection; malware analysis; malware authors; Algorithm design and analysis; Context; Emulation; Encryption; Loading; Malware; API obfuscation; decryption routines; emulation; malicious behavior; program slicing technique;

fLanguage

English

Publisher

ieee

Conference_Titel

Mechatronic Sciences, Electric Engineering and Computer (MEC), Proceedings 2013 International Conference on

Conference_Location

Shengyang

Print_ISBN

978-1-4799-2564-3

Type

conf

DOI

10.1109/MEC.2013.6885402

Filename

6885402