Browse > Article
http://dx.doi.org/10.13089/JKIISC.2013.23.4.709

Analysis of Virtualization Obfuscated Executable Files and Implementation of Automatic Analysis Tool  

Suk, Jae Hyuk (Graduate School of Information Security, Korea University)
Kim, Sunghoon (Graduate School of Information Security, Korea University)
Lee, Dong Hoon (Graduate School of Information Security, Korea University)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.23, no.4, 2013 , pp. 709-720 More about this Journal
Abstract
Virtualization obfuscation makes hard to analyze the code by applying virtualization to code section. Protected code by common used virtualization obfuscation technique has become known that it doesn't have restored point and also it is hard to analyze. However, it is abused to protect malware recently. So, It is been hard to analyze and take action for malware. Therefore, this paper's purpose is analyze and take action for protected malware by virtualization obfuscation technique through implement tool which can extract virtualization structure automatically and trace execution process. Hence, basic structure and operation process of virtualization obfuscation technique will be handled and analysis result of protected malware by virtualization obfuscation utilized Equation Reasoning System, one kind of program analysis. Also, we implement automatic analysis tool, extract virtualization structure from protected executable file by virtualization obfuscation technique and deduct program's execution sequence.
Keywords
Virtualization Obfuscation; Program Analysis; Automatic Analysis Tool;
Citations & Related Records
연도 인용수 순위
  • Reference
1 C. Collberg, C. Thomborson, and D. Low, "A taxonomy of obfuscating transformations," Department of Computer Science, The University of Auckland, New Zealand, July. 1997.
2 F. Bellard, "QEMU, a fast and portable dynamic translator," In USENIX Annual Technical Conference. USENIX, pp. 41-46, April 2005.
3 K. Coogan, G. Lu, and S.K. Debray. "Deobfuscation of virtualization obfuscated software: a semantics-based approach," ACM Conference on Computer and Communications Security. ACM, pp. 275-284, Oct. 2011.
4 K. Coogan, G. Lu, and S.K. Debray. "Equational reasoning on x86 assembly code," Source Code Analysis and Manipulation (SCAM), 2011 11th IEEE International Working Conference on. IEEE, pp. 75-84, Sep. 2011.
5 M. Sharif, A. Lanzi, J. Giffin, and W. Lee, "Automatic reverse engineering of malware emulators," In Proc. of the 30th IEEE Symposium on Security and Privacy, pp. 94-109, May 2009.
6 R. Rolles, "Unpacking virtualization obfuscators," In Proc. 3rd USENIX Workshop on Offensive Technologies (WOOT '09), pp. 1-1, Aug. 2009.
7 M.V. Yason, "The Art of Unpacking," Blackhat USA 2007.
8 Oreans Technologies. Code virtualizer: Total obfuscation against reverse engineering, Dec. 2008. http://www.oreans.com/codevirtualizer.php.
9 Oreans Technologies. Themida: Advanced Windows Software Protection System, Jul. 2012. http://www.oreans.com/themida.php.
10 PEiD. 2009. http://www.peid.info,
11 VMProtect Software. VMProtect software protection, 2008. http://vmpsoft.com/.