TY - GEN
T1 - A generic approach to automatic deobfuscation of executable code
AU - Yadegari, Babak
AU - Johannesmeyer, Brian
AU - Whitely, Ben
AU - Debray, Saumya
N1 - Publisher Copyright:
© 2015 IEEE.
PY - 2015/7/17
Y1 - 2015/7/17
N2 - Malicious software are usually obfuscated to avoid detection and resist analysis. When new malware is encountered, such obfuscations have to be penetrated or removed ('deobfuscated') in order to understand the internal logic of the code and devise countermeasures. This paper discusses a generic approach for deobfuscation of obfuscated executable code. Our approach does not make any assumptions about the nature of the obfuscations used, but instead uses semantics-preserving program transformations to simplify away obfuscation code. We have applied a prototype implementation of our ideas to a variety of different kinds of obfuscation, including emulation-based obfuscation, emulation-based obfuscation with runtime code unpacking, and return-oriented programming. Our experimental results are encouraging and suggest that this approach can be effective in extracting the internal logic from code obfuscated using a variety of obfuscation techniques, including tools such as Themida that previous approaches could not handle.
AB - Malicious software are usually obfuscated to avoid detection and resist analysis. When new malware is encountered, such obfuscations have to be penetrated or removed ('deobfuscated') in order to understand the internal logic of the code and devise countermeasures. This paper discusses a generic approach for deobfuscation of obfuscated executable code. Our approach does not make any assumptions about the nature of the obfuscations used, but instead uses semantics-preserving program transformations to simplify away obfuscation code. We have applied a prototype implementation of our ideas to a variety of different kinds of obfuscation, including emulation-based obfuscation, emulation-based obfuscation with runtime code unpacking, and return-oriented programming. Our experimental results are encouraging and suggest that this approach can be effective in extracting the internal logic from code obfuscated using a variety of obfuscation techniques, including tools such as Themida that previous approaches could not handle.
KW - Deobfuscation
KW - Return Oriented Programming
KW - Virtualization-Obfuscation
UR - http://www.scopus.com/inward/record.url?scp=84945200690&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84945200690&partnerID=8YFLogxK
U2 - 10.1109/SP.2015.47
DO - 10.1109/SP.2015.47
M3 - Conference contribution
AN - SCOPUS:84945200690
T3 - Proceedings - IEEE Symposium on Security and Privacy
SP - 674
EP - 691
BT - Proceedings - 2015 IEEE Symposium on Security and Privacy, SP 2015
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 36th IEEE Symposium on Security and Privacy, SP 2015
Y2 - 18 May 2015 through 20 May 2015
ER -