A generic approach to automatic deobfuscation of executable code

Babak Yadegari, Brian Johannesmeyer, Ben Whitely, Saumya Debray

Research output: Chapter in Book/Report/Conference proceedingConference contribution

91 Scopus citations

Abstract

Malicious software are usually obfuscated to avoid detection and resist analysis. When new malware is encountered, such obfuscations have to be penetrated or removed ('deobfuscated') in order to understand the internal logic of the code and devise countermeasures. This paper discusses a generic approach for deobfuscation of obfuscated executable code. Our approach does not make any assumptions about the nature of the obfuscations used, but instead uses semantics-preserving program transformations to simplify away obfuscation code. We have applied a prototype implementation of our ideas to a variety of different kinds of obfuscation, including emulation-based obfuscation, emulation-based obfuscation with runtime code unpacking, and return-oriented programming. Our experimental results are encouraging and suggest that this approach can be effective in extracting the internal logic from code obfuscated using a variety of obfuscation techniques, including tools such as Themida that previous approaches could not handle.

Original languageEnglish (US)
Title of host publicationProceedings - 2015 IEEE Symposium on Security and Privacy, SP 2015
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages674-691
Number of pages18
ISBN (Electronic)9781467369497
DOIs
StatePublished - Jul 17 2015
Event36th IEEE Symposium on Security and Privacy, SP 2015 - San Jose, United States
Duration: May 18 2015May 20 2015

Publication series

NameProceedings - IEEE Symposium on Security and Privacy
Volume2015-July
ISSN (Print)1081-6011

Other

Other36th IEEE Symposium on Security and Privacy, SP 2015
CountryUnited States
CitySan Jose
Period5/18/155/20/15

Keywords

  • Deobfuscation
  • Return Oriented Programming
  • Virtualization-Obfuscation

ASJC Scopus subject areas

  • Safety, Risk, Reliability and Quality
  • Software
  • Computer Networks and Communications

Fingerprint Dive into the research topics of 'A generic approach to automatic deobfuscation of executable code'. Together they form a unique fingerprint.

Cite this