DocumentCode
3230836
Title
A Generic Approach to Automatic Deobfuscation of Executable Code
Author
Yadegari, Babak ; Johannesmeyer, Brian ; Whitely, Ben ; Debray, Saumya
Author_Institution
Dept. of Comput. Sci., Univ. of Arizona, Tucson, AZ, USA
fYear
2015
fDate
17-21 May 2015
Firstpage
674
Lastpage
691
Abstract
Malicious software are usually obfuscated to avoid detection and resist analysis. When new malware is encountered, such obfuscations have to be penetrated or removed ("deobfuscated") in order to understand the internal logic of the code and devise countermeasures. This paper discusses a generic approach for deobfuscation of obfuscated executable code. Our approach does not make any assumptions about the nature of the obfuscations used, but instead uses semantics-preserving program transformations to simplify away obfuscation code. We have applied a prototype implementation of our ideas to a variety of different kinds of obfuscation, including emulation-based obfuscation, emulation-based obfuscation with runtime code unpacking, and return-oriented programming. Our experimental results are encouraging and suggest that this approach can be effective in extracting the internal logic from code obfuscated using a variety of obfuscation techniques, including tools such as Themida that previous approaches could not handle.
Keywords
invasive software; programming; Themida tool; automatic executable code deobfuscation; emulation-based obfuscation; generic approach; malicious software; obfuscation techniques; return-oriented programming; runtime code unpacking; Algorithm design and analysis; IP networks; Libraries; Programming; Reverse engineering; Security; Semantics; Deobfuscation; Return Oriented Programming; Virtualization-Obfuscation;
fLanguage
English
Publisher
ieee
Conference_Titel
Security and Privacy (SP), 2015 IEEE Symposium on
Conference_Location
San Jose, CA
ISSN
1081-6011
Type
conf
DOI
10.1109/SP.2015.47
Filename
7163054
Link To Document