Deobfuscation of virtualization obfuscated software
This presentation is the property of its rightful owner.
Sponsored Links
1 / 25

Deobfuscation of Virtualization-Obfuscated Software PowerPoint PPT Presentation


  • 111 Views
  • Uploaded on
  • Presentation posted in: General

Deobfuscation of Virtualization-Obfuscated Software. Kevin Coogan , Gen Lu, saumya debray Department of Comuputer Science University of Arizona 報告者:張逸文. Outline. Introduction Deobfuscation Experimental Evaluation Related Work Conclusion. Introduction ( 1/4 ).

Download Presentation

Deobfuscation of Virtualization-Obfuscated Software

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Deobfuscation of virtualization obfuscated software

Deobfuscation of Virtualization-Obfuscated Software

Kevin Coogan, Gen Lu, saumyadebray

Department of Comuputer Science University of Arizona

報告者:張逸文

ADLab


Outline

Outline

Introduction

Deobfuscation

Experimental Evaluation

Related Work

Conclusion

ADLab


Introduction 1 4

Introduction(1/4)

  • Basic about Reverse Engineering

    • Compilation

    • Decompilation

ADLab


Introduction 2 4

Introduction(2/4)

  • Virtualization obfuscators

    • VMProtect, Code Virtualizer

      {

      VIRTUALIZER_START

      your code

      VIRTUALIZER_END

      }

ADLab


Introduction 3 4

Introduction(3/4)

  • The virtualization-obfuscated programs are resistant to static and dynamic analysis techniques

    • The executed code reveals only the structure and logic of the byte-code interpreter

    • Randomness VM

  • Outside-in approach

    • Reverse engineer the VM interpreter

    • Individual byte code instructions

    • Recover the logic

    • The structure of the interpreter meets certain requirements

ADLab


Introduction 4 4

Introduction(4/4)

Programs interact with the system through system calls

Identifying instructions that interact with the system

Not recovering the original instructions

Capturing behavior of the code

General, using in a wide range

ADLab


Deobfuscation

Deobfuscation

Static analysis v.s dynamic trace

Identifying instructions that are known to be part of the original code

No information about the specific structure of the interpreter

ADLab


Deobfuscation1

Deobfuscation

  • Overall approach:

  • Tracing tool

    • Low level execution trace

  • Identifying system calls and their arguments

    • database

  • Instruction trace

    • Relevant instructions

  • Building a subtrace

    • Relevant subtrace

ADLab


Deobfuscation2

Deobfuscation

  • Value-based Dependence Analysis

    • Not recovering the original code

    • The process of deobfuscation must be semantics-preserving

    • Identifying instructions that affect the values of the arguments to system calls

    • Slicing algorithms --- control-dependent

    • Data dependencies

    • Use-definition chains --- link instructions that use a variable to the instruction that define it

    • Problem:

ADLab


Deobfuscation3

Deobfuscation

  • Value-based dependence

    if( I defines a location l S) {

    I is marked as relevant;

    l is removed from S;

    the set of locations used by I is added to S; }

  • Problem:a pointer to a structure

    I uses some locations  l1, l2, … , ld

    if ( I uses li P to define ld )

    ld is added to P

    if ( li access a memory location )

    [li ] is added to M

ADLab


Deobfuscation4

Deobfuscation

  • Relevant Conditional Control Flow

    • Value-based dependence analysis doesn’t identify the associated control flow instructions

    • The occurring of conditional control flow

    • IA-32 architecture  setting the condition code flags in the eflags register

    • Not such simple!!

    • Examining target address

    • EquationalResoning System:translate each instruction in the dynamic trace into an equivalent set of equations

ADLab


Deobfuscation5

Deobfuscation

  • EquationalResoning System

    • Identifies conditional dependencies

    • The left hand side variables in an equation is numbered by the order of its instruction appears

    • The right hand side variables is numbered by the instruction that defined it

  • Example 1.

ADLab


Deobfuscation6

Deobfuscation

  • Example 2.

  • Example 3.

    • Indirect jump

ADLab


Deobfuscation7

Deobfuscation

  • Example 4.

    • Used in VMProtect

Target20 = index1*4+0x10000

ADLab


Deobfuscation8

Deobfuscation

ADLab


Deobfuscation9

Deobfuscation

ADLab


Deobfuscation10

Deobfuscation

  • Relevant Call-Return Control Flow

    • Identifying functions:the behavior of calls and returns

    • Knowing how them work allows one to use for other purposes

    • Behavior of Function Calls and Returns

ADLab


Deobfuscation11

Deobfuscation

call 改成push

無法解決

registers

ADLab


Deobfuscation12

Deobfuscation

  • Identification Approach

    • Call:a code address is saved at the call site

    • Return:the saved address is used for a control transfer at the return point

ADLab


Deobfuscation13

Deobfuscation

Relevant Dynamic Trace

ADLab


Experimental evaluation

Experimental Evaluation

  • Experimental Methodology

    • Compile original source code

    • Generate an original dynamic trace

    • Build an original subtrace

    • Virtualization-obfuscation technique

    • Generate an obfuscated dynamic trace

    • Build a relevant subtrace of the obfuscated subtrace

    • The obfuscated subtrace is matched to the original subtrace and scores are produced

    • The relevance score and obfuscation score are calculated

ADLab


Experimental evaluation1

Experimental Evaluation

VX Heavens website

ADLab


Related work

Related Work

  • Deobfuscation of code obfuscated via virtualization obfuscators

    • Rolles, Sharif, Falliere

  • Programming language community

    • Partial evaluation

ADLab


Conclusions

Conclusions

Virtualization-obfuscated programs are difficult to reverse engineer

We present a different approach to identifying the flow of values to system call instructions

ADLab


Deobfuscation of virtualization obfuscated software

XD ~

ADLab


  • Login