Title :
An API deobfuscation method combining dynamic and static techniques
Author :
Qi Xi ; Tianyang Zhou ; Qingxian Wang ; Yongjun Zeng
Author_Institution :
State Key Lab. of Math. Eng. & Adv. Comput., Zhengzhou, China
Abstract :
API calls analysis is usually used for malicious behavior detection, but malware authors adopt encryption techniques to hide API information where calling them dynamically. Consequently, the decryption of internal ciphertext data in malware is now critical for malware analysis. In this paper, we proposed a novel approach to automatically resolve the encryption strings from malware. By analyzing the inherent dependencies between functions, we automatically identified decryption routine and extracted its context. To reveal the encryption API names, the proposed approach loads the malware and constructs context of decryption routine, and then forces the program calling decryption routines. The feasibility of our approach is demonstrated by implementing a prototype framework called ADSD(API Deobfuscation based on Static and Dynamic techniques).
Keywords :
cryptography; invasive software; ADSD; API Deobfuscation based on Static and Dynamic techniques; API calls analysis; API deobfuscation method; API information; decryption routines; encryption API names; encryption strings; encryption techniques; internal ciphertext data decryption; malicious behavior detection; malware analysis; malware authors; Algorithm design and analysis; Context; Emulation; Encryption; Loading; Malware; API obfuscation; decryption routines; emulation; malicious behavior; program slicing technique;
Conference_Titel :
Mechatronic Sciences, Electric Engineering and Computer (MEC), Proceedings 2013 International Conference on
Conference_Location :
Shengyang
Print_ISBN :
978-1-4799-2564-3
DOI :
10.1109/MEC.2013.6885402
