Article

A Generic Approach to Automatic Deobfuscation of Executable Code

Authors:

Babak Yadegari,

Brian Johannesmeyer,

Ben Whitely,

Saumya DebrayAuthors Info & Claims

SP '15: Proceedings of the 2015 IEEE Symposium on Security and Privacy

Pages 674 - 691

https://doi.org/10.1109/SP.2015.47

Published: 17 May 2015 Publication History

Abstract

Malicious software are usually obfuscated to avoid detection and resist analysis. When new malware is encountered, such obfuscations have to be penetrated or removed ("deobfuscated") in order to understand the internal logic of the code and devise countermeasures. This paper discusses a generic approach for deobfuscation of obfuscated executable code. Our approach does not make any assumptions about the nature of the obfuscations used, but instead uses semantics-preserving program transformations to simplify away obfuscation code. We have applied a prototype implementation of our ideas to a variety of different kinds of obfuscation, including emulation-based obfuscation, emulation-based obfuscation with runtime code unpacking, and return-oriented programming. Our experimental results are encouraging and suggest that this approach can be effective in extracting the internal logic from code obfuscated using a variety of obfuscation techniques, including tools such as Themida that previous approaches could not handle.

Cited By

View all

Faingnaert TVan Iseghem WDe Sutter BSchrittwieser SIanni M(2024)K-Hunt++: Improved Dynamic Cryptographic Key ExtractionProceedings of the 2024 Workshop on Research on offensive and defensive techniques in the context of Man At The End (MATE) attacks10.1145/3689934.3690818(22-29)Online publication date: 19-Nov-2024
https://dl.acm.org/doi/10.1145/3689934.3690818
Faingnaert TZhang TVan Iseghem WEveraert GCoppens BCollberg CDe Sutter BSchrittwieser SIanni M(2024)Tools and Models for Software Reverse Engineering ResearchProceedings of the 2024 Workshop on Research on offensive and defensive techniques in the context of Man At The End (MATE) attacks10.1145/3689934.3690817(44-58)Online publication date: 19-Nov-2024
https://dl.acm.org/doi/10.1145/3689934.3690817
Mariano BWang ZPailoor SCollberg CDillig I(2024)Control-Flow Deobfuscation using Trace-Informed Compositional Program SynthesisProceedings of the ACM on Programming Languages10.1145/36897898:OOPSLA2(2211-2241)Online publication date: 8-Oct-2024
https://dl.acm.org/doi/10.1145/3689789
Show More Cited By

Recommendations

SoK: Automatic Deobfuscation of Virtualization-protected Applications
ARES '21: Proceedings of the 16th International Conference on Availability, Reliability and Security

Malware authors often rely on code obfuscation to hide the malicious functionality of their software, making detection and analysis more difficult. One of the most advanced techniques for binary obfuscation is virtualization-based obfuscation, which ...
Transforming malicious code to ROP gadgets for antivirus evasion

This study advances research in offensive technology by proposing return oriented programming (ROP) as a means to achieve code obfuscation. The key inspiration is that ROP's unique structure poses various challenges to malware analysis compared to ...
PowerPeeler: A Precise and General Dynamic Deobfuscation Method for PowerShell Scripts
CCS '24: Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security

PowerShell is a powerful and versatile task automation tool. Unfortunately, it is also widely abused by cyber attackers. To bypass malware detection and hinder threat analysis, attackers often employ diverse techniques to obfuscate malicious PowerShell ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

SP '15: Proceedings of the 2015 IEEE Symposium on Security and Privacy

May 2015

923 pages

ISBN:9781467369497

Publisher

IEEE Computer Society

United States

Publication History

Published: 17 May 2015

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

49
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 16 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Faingnaert TVan Iseghem WDe Sutter BSchrittwieser SIanni M(2024)K-Hunt++: Improved Dynamic Cryptographic Key ExtractionProceedings of the 2024 Workshop on Research on offensive and defensive techniques in the context of Man At The End (MATE) attacks10.1145/3689934.3690818(22-29)Online publication date: 19-Nov-2024
https://dl.acm.org/doi/10.1145/3689934.3690818
Faingnaert TZhang TVan Iseghem WEveraert GCoppens BCollberg CDe Sutter BSchrittwieser SIanni M(2024)Tools and Models for Software Reverse Engineering ResearchProceedings of the 2024 Workshop on Research on offensive and defensive techniques in the context of Man At The End (MATE) attacks10.1145/3689934.3690817(44-58)Online publication date: 19-Nov-2024
https://dl.acm.org/doi/10.1145/3689934.3690817
Mariano BWang ZPailoor SCollberg CDillig I(2024)Control-Flow Deobfuscation using Trace-Informed Compositional Program SynthesisProceedings of the ACM on Programming Languages10.1145/36897898:OOPSLA2(2211-2241)Online publication date: 8-Oct-2024
https://dl.acm.org/doi/10.1145/3689789
Yong Wong MValakuzhy KAhamad MBlough DMonrose F(2024)Understanding LLMs Ability to Aid Malware Analysts in Bypassing Evasion TechniquesCompanion Proceedings of the 26th International Conference on Multimodal Interaction10.1145/3686215.3690147(36-40)Online publication date: 4-Nov-2024
https://dl.acm.org/doi/10.1145/3686215.3690147
Kim SKim HCha SChandra SBlincoe KTonella P(2023)FunProbe: Probing Functions from Binary Code through Probabilistic AnalysisProceedings of the 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3611643.3616366(1419-1430)Online publication date: 30-Nov-2023
https://dl.acm.org/doi/10.1145/3611643.3616366
Anwar MZuo CYagemann CLin Z(2023)Extracting Threat Intelligence From Cheat Binaries For Anti-CheatingProceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3607199.3607211(17-31)Online publication date: 16-Oct-2023
https://dl.acm.org/doi/10.1145/3607199.3607211
Sang YHuang YHuang SCui H(2023)Beyond the Model: Data Pre-processing Attack to Deep Learning Models in Android AppsProceedings of the 2023 Secure and Trustworthy Deep Learning Systems Workshop10.1145/3591197.3591308(1-9)Online publication date: 10-Jul-2023
https://dl.acm.org/doi/10.1145/3591197.3591308
Daniel LBardin SRezk T(2023)Binsec/Rel: Symbolic Binary Analyzer for Security with Applications to Constant-Time and Secret-ErasureACM Transactions on Privacy and Security10.1145/356303726:2(1-42)Online publication date: 14-Apr-2023
https://dl.acm.org/doi/10.1145/3563037
Priamo GD'Elia DQuerzoni L(2022)Principled Composition of Function Variants for Dynamic Software Diversity and Program ProtectionProceedings of the 37th IEEE/ACM International Conference on Automated Software Engineering10.1145/3551349.3559553(1-5)Online publication date: 10-Oct-2022
https://dl.acm.org/doi/10.1145/3551349.3559553
Zhao YTang ZYe GGong XFang D(2021)Input-Output Example-Guided Data Deobfuscation on BinarySecurity and Communication Networks10.1155/2021/46460482021Online publication date: 1-Jan-2021
https://dl.acm.org/doi/10.1155/2021/4646048
Show More Cited By

Abstract

Cited By

Recommendations

SoK: Automatic Deobfuscation of Virtualization-protected Applications

Transforming malicious code to ROP gadgets for antivirus evasion

PowerPeeler: A Precise and General Dynamic Deobfuscation Method for PowerShell Scripts

Comments

Information

Published In

Publisher

Publication History

Author Tags

Qualifiers

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

View options

Figures

Other

Share

Share this Publication link

Share on social media

Affiliations