A generic approach to automatic deobfuscation of executable code

Babak Yadegari, Brian Johannesmeyer, Ben Whitely, Saumya K Debray

Research output: Chapter in Book/Report/Conference proceedingConference contribution

73 Citations (Scopus)

Abstract

Malicious software are usually obfuscated to avoid detection and resist analysis. When new malware is encountered, such obfuscations have to be penetrated or removed ('deobfuscated') in order to understand the internal logic of the code and devise countermeasures. This paper discusses a generic approach for deobfuscation of obfuscated executable code. Our approach does not make any assumptions about the nature of the obfuscations used, but instead uses semantics-preserving program transformations to simplify away obfuscation code. We have applied a prototype implementation of our ideas to a variety of different kinds of obfuscation, including emulation-based obfuscation, emulation-based obfuscation with runtime code unpacking, and return-oriented programming. Our experimental results are encouraging and suggest that this approach can be effective in extracting the internal logic from code obfuscated using a variety of obfuscation techniques, including tools such as Themida that previous approaches could not handle.

Original languageEnglish (US)
Title of host publicationProceedings - IEEE Symposium on Security and Privacy
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages674-691
Number of pages18
Volume2015-July
ISBN (Print)9781467369497
DOIs
StatePublished - Jul 17 2015
Event36th IEEE Symposium on Security and Privacy, SP 2015 - San Jose, United States
Duration: May 18 2015May 20 2015

Other

Other36th IEEE Symposium on Security and Privacy, SP 2015
CountryUnited States
CitySan Jose
Period5/18/155/20/15

Fingerprint

Semantics
Malware

Keywords

  • Deobfuscation
  • Return Oriented Programming
  • Virtualization-Obfuscation

ASJC Scopus subject areas

  • Safety, Risk, Reliability and Quality
  • Software
  • Computer Networks and Communications

Cite this

Yadegari, B., Johannesmeyer, B., Whitely, B., & Debray, S. K. (2015). A generic approach to automatic deobfuscation of executable code. In Proceedings - IEEE Symposium on Security and Privacy (Vol. 2015-July, pp. 674-691). [7163054] Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/SP.2015.47

A generic approach to automatic deobfuscation of executable code. / Yadegari, Babak; Johannesmeyer, Brian; Whitely, Ben; Debray, Saumya K.

Proceedings - IEEE Symposium on Security and Privacy. Vol. 2015-July Institute of Electrical and Electronics Engineers Inc., 2015. p. 674-691 7163054.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Yadegari, B, Johannesmeyer, B, Whitely, B & Debray, SK 2015, A generic approach to automatic deobfuscation of executable code. in Proceedings - IEEE Symposium on Security and Privacy. vol. 2015-July, 7163054, Institute of Electrical and Electronics Engineers Inc., pp. 674-691, 36th IEEE Symposium on Security and Privacy, SP 2015, San Jose, United States, 5/18/15. https://doi.org/10.1109/SP.2015.47
Yadegari B, Johannesmeyer B, Whitely B, Debray SK. A generic approach to automatic deobfuscation of executable code. In Proceedings - IEEE Symposium on Security and Privacy. Vol. 2015-July. Institute of Electrical and Electronics Engineers Inc. 2015. p. 674-691. 7163054 https://doi.org/10.1109/SP.2015.47
Yadegari, Babak ; Johannesmeyer, Brian ; Whitely, Ben ; Debray, Saumya K. / A generic approach to automatic deobfuscation of executable code. Proceedings - IEEE Symposium on Security and Privacy. Vol. 2015-July Institute of Electrical and Electronics Engineers Inc., 2015. pp. 674-691
@inproceedings{8cfdc6a7ce8845cab08dfcf2ef80e1bf,
title = "A generic approach to automatic deobfuscation of executable code",
abstract = "Malicious software are usually obfuscated to avoid detection and resist analysis. When new malware is encountered, such obfuscations have to be penetrated or removed ('deobfuscated') in order to understand the internal logic of the code and devise countermeasures. This paper discusses a generic approach for deobfuscation of obfuscated executable code. Our approach does not make any assumptions about the nature of the obfuscations used, but instead uses semantics-preserving program transformations to simplify away obfuscation code. We have applied a prototype implementation of our ideas to a variety of different kinds of obfuscation, including emulation-based obfuscation, emulation-based obfuscation with runtime code unpacking, and return-oriented programming. Our experimental results are encouraging and suggest that this approach can be effective in extracting the internal logic from code obfuscated using a variety of obfuscation techniques, including tools such as Themida that previous approaches could not handle.",
keywords = "Deobfuscation, Return Oriented Programming, Virtualization-Obfuscation",
author = "Babak Yadegari and Brian Johannesmeyer and Ben Whitely and Debray, {Saumya K}",
year = "2015",
month = "7",
day = "17",
doi = "10.1109/SP.2015.47",
language = "English (US)",
isbn = "9781467369497",
volume = "2015-July",
pages = "674--691",
booktitle = "Proceedings - IEEE Symposium on Security and Privacy",
publisher = "Institute of Electrical and Electronics Engineers Inc.",

}

TY - GEN

T1 - A generic approach to automatic deobfuscation of executable code

AU - Yadegari, Babak

AU - Johannesmeyer, Brian

AU - Whitely, Ben

AU - Debray, Saumya K

PY - 2015/7/17

Y1 - 2015/7/17

N2 - Malicious software are usually obfuscated to avoid detection and resist analysis. When new malware is encountered, such obfuscations have to be penetrated or removed ('deobfuscated') in order to understand the internal logic of the code and devise countermeasures. This paper discusses a generic approach for deobfuscation of obfuscated executable code. Our approach does not make any assumptions about the nature of the obfuscations used, but instead uses semantics-preserving program transformations to simplify away obfuscation code. We have applied a prototype implementation of our ideas to a variety of different kinds of obfuscation, including emulation-based obfuscation, emulation-based obfuscation with runtime code unpacking, and return-oriented programming. Our experimental results are encouraging and suggest that this approach can be effective in extracting the internal logic from code obfuscated using a variety of obfuscation techniques, including tools such as Themida that previous approaches could not handle.

AB - Malicious software are usually obfuscated to avoid detection and resist analysis. When new malware is encountered, such obfuscations have to be penetrated or removed ('deobfuscated') in order to understand the internal logic of the code and devise countermeasures. This paper discusses a generic approach for deobfuscation of obfuscated executable code. Our approach does not make any assumptions about the nature of the obfuscations used, but instead uses semantics-preserving program transformations to simplify away obfuscation code. We have applied a prototype implementation of our ideas to a variety of different kinds of obfuscation, including emulation-based obfuscation, emulation-based obfuscation with runtime code unpacking, and return-oriented programming. Our experimental results are encouraging and suggest that this approach can be effective in extracting the internal logic from code obfuscated using a variety of obfuscation techniques, including tools such as Themida that previous approaches could not handle.

KW - Deobfuscation

KW - Return Oriented Programming

KW - Virtualization-Obfuscation

UR - http://www.scopus.com/inward/record.url?scp=84945200690&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84945200690&partnerID=8YFLogxK

U2 - 10.1109/SP.2015.47

DO - 10.1109/SP.2015.47

M3 - Conference contribution

AN - SCOPUS:84945200690

SN - 9781467369497

VL - 2015-July

SP - 674

EP - 691

BT - Proceedings - IEEE Symposium on Security and Privacy

PB - Institute of Electrical and Electronics Engineers Inc.

ER -