DOI QR코드

DOI QR Code

The design and implementation of pin plugin tool to bypass anti-debugging techniques

Pin을 이용한 안티디버깅 우회 설계 및 구현

  • Hong, Soohwa (Department of Computer and Software, Hanyang University) ;
  • Park, Yongsu (Department of Computer and Software, Hanyang University)
  • Received : 2016.04.20
  • Accepted : 2016.08.25
  • Published : 2016.10.31

Abstract

Pin is a framework that creates dynamic program analysis tools and can be used to perform program analysis on user space in Linux and Windows. It is hard to analyze the program such as Anti-reversing program or malware using anti-debugging by Pin. In this paper, we will suggest the implementation of scheme bypassing anti-debugging with Pin. Each pin code is written to bypass anti-debugging detecting Pin. And Pin creates a pin tool combined with Pin codes that bypass anti-debugging methods. The pin tool are tested with files created by anti-debugging protector. The technique in the paper is expected to be a reference of code bypassing anti-debugging and be applied to bypass newly discovered anti-debugging through code modification in the future.

Pin은 프로그램 동적 분석 도구를 생성할 수 있는 프레임워크로, 리눅스와 윈도우에서 사용자 영역의 프로그램 분석을 수행할 수 있게 한다. 역공학 방지 프로그램이나 악성코드는 프로그램 분석을 방해하는 안티디버깅이 적용되어 있기 때문에 Pin을 사용한 분석이 어렵다. 본 논문에서는 Pin을 이용해서 프로그램에 적용된 안티디버깅을 우회하여 동적 분석을 진행할 수 있는 Pin 플러그인 프로그램을 설계한 내용과 구현한 내용을 제안한다. Pin 탐지 안티디버깅을 우회할 수 있는 각각의 Pin 코드를 작성하고, Pin 코드를 하나로 합쳐 여러 안티디버깅을 우회할 수 있는 Pin 도구를 구현한다. 구현된 Pin 도구는 안티디버깅을 지원하는 프로텍터로 생성한 파일로 안티디버깅 우회 실험을 진행한다. 본 기법은 추후에 발견되는 안티디버깅 우회 코드 작성의 참고자료가 될 것이고 발견된 안티디버깅에 맞춰 수정 후 추가 적용이 가능할 것으로 예상된다.

Keywords

References

  1. W. Yan, Z. Zhang, N. Ansari, "Revealing Packed Malware", IEEE Security & Privacy, Vol.6, Issue 5, pp. 65-69, 2008. http://dx.doi.org/10.1109/MSP.2008.126
  2. Dhruwajita Devi, Sukumar Nandi, "Detection of packed malware", SecurIT '12 Proceedings of the First International Conference on Security of Internet of Things, pp. 22-26, NY, USA, August, 2012. http://dx.doi.org/10.1145/2490428.2490431
  3. Gabriel Negreira Barbosa, Rodrigo Rubira Branco, "Prevalent Characteristics in Modern Malware", black hat USA 2014, Las Vegas, USA, August, 2014. https://www.blackhat.com/docs/us-14/materials/us-14-Branco-Prevalent-Characteristics-In-Modern-Malware.pdf
  4. Luk, C., Cohn, R., Muth, R., Patil, H., Klauser, A., Lowney, G., Wallace, S., Vijay Janapa Reddi, and Hazelwood, "K. Pin: building customized program analysis tools with dynamic instrumentation", In Proceedings of the 2005 ACM SIGPLAN Conference on Programming Language Design and Implementation, Chicago, IL, USA, June, 2005. http://dx.doi.org/10.1145/1065010.1065034
  5. Steven Wallace, Kim Hazelwood, "SuperPin: Parallelizing Dynamic Instrumentation for Real-Time Performance", International Symposium on Code Generation and Optimization, San Jose, CA, March 2007. http://dx.doi.org/10.1109/CGO.2007.37
  6. Sean Peisert, Matt Bishop, Sidney Karin, and Keith Marzullo, "Analysis of Computer Intrusions Using Sequences of Function Calls", IEEE Transactions on Dependable and Secure Computing (TDSC), Vol 4, Issue 2, pp. 137-150, April, 2007. http://dx.doi.org/10.1109/TDSC.2007.1003
  7. Alex Skaletsky, Tevi Devor, Nadav Chachmon, Robert Cohn, Kim Hazelwood, Vladimir Vladimirov, Moshe Bach. "Dynamic Program Analysis of Microsoft Windows Applications", International Symposium on Performance Analysis of Software and Systems (ISPASS). White Plains, NY. April 2010. http://dx.doi.org/10.1109/ISPASS.2010.5452079
  8. Pin 2.14 User Guide - https://software.intel.com/sites/landingpage/pintool/docs/71313/Pin/html/
  9. RR Branco, GN Barbosa, PD Neto, "Scientific but Not Academical Overview of Malware Anti-Debugging, Anti-Disassembly and Anti-VM Technologies", black hat USA 2012, Las Vegas, USA, July, 2012. https://media.blackhat.com/bh-us-12/Briefings/Branco/BH_US_12_Branco_Scientific_Academic_Slides.pdf
  10. A. J. Smith, R. F. Mills, A. R. Bryant, G. L. Peterson, M. R. Grimaila, "REDIR: Automated Static Detection of Obfuscated Anti-Debugging Techniques", Collaboration Technologies and Systems (CTS), 2014 International Conference, Minneapolis, MN, USA, May, 2014. http://dx.doi.org/10.1109/CTS.2014.6867561
  11. K. Yoshizaki, T. Yamauchi, "Malware Detection Method Focusing on Anti-debugging Functions", Computing and Networking (CANDAR), 2014 Second International Symposium, Shizuoka, Japan, Dec, 2014. http://dx.doi.org/10.1109/CANDAR.2014.36
  12. Tyler Shields. Anti-Debugging - A Developers View. Whitepaper, Veracode Inc, 2009.
  13. Peter Ferrie. The "Ultimate" Anti-Debugging Reference, May, 2011 - http://www.anti-reversing.com/the-ultimate-anti-debugging-reference/
  14. An Anti-Reverse Engineering Guide - http://www.codeproject.com/Articles/30815/An-Anti-Reverse-Engineering-Guide
  15. Introduction Into Windows Anti-Debugging - http://www.codeproject.com/Articles/29469/Introduction-Into-Windows-Anti-Debugging