Browse > Article
http://dx.doi.org/10.13089/JKIISC.2017.27.4.785

Implementation of the Automated De-Obfuscation Tool to Restore Working Executable  

Kang, You-jin (Graduated School of Information Security, Korea University)
Park, Moon Chan (Graduated School of Information Security, Korea University)
Lee, Dong Hoon (Graduated School of Information Security, Korea University)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.27, no.4, 2017 , pp. 785-802 More about this Journal
Abstract
As cyber threats using malicious code continue to increase, many security and vaccine companies are putting a lot of effort into analysis and detection of malicious codes. However, obfuscation techniques that make software analysis more difficult are applied to malicious codes, making it difficult to respond quickly to malicious codes. In particular, commercial obfuscation tools can quickly and easily generate new variants of malicious codes so that malicious code analysts can not respond to them. In order for analysts to quickly analyze the actual malicious behavior of the new variants, reverse obfuscation(=de-obfuscation) is needed to disable obfuscation. In this paper, general analysis methodology is proposed to de-obfuscate the software used by a commercial obfuscation tool, Themida. First, We describe operation principle of Themida by analyzing obfuscated executable file using Themida. Next, We extract original code and data information of executable from obfuscated executable using Pintool, DBI(Dynamic Binary Instrumentation) framework, and explain the implementation results of automated analysis tool which can deobfuscate to original executable using the extracted original code and data information. Finally, We evaluate the performance of our automated analysis tool by comparing the original executable with the de-obfuscated executable.
Keywords
De-obfuscation; Program Analysis; Software Protection; Automatic Analysis Tool;
Citations & Related Records
Times Cited By KSCI : 3  (Citation Analysis)
연도 인용수 순위
1 Jae-Hyuk Suk, Sung-hoon Kim and Dong-Hoon Lee, "Analysis of Virtualization Obfuscated Executable Files and Implementation of Automatic Analysis Tool," Journal of the Korea Institute of Information Security & Cryptology, 23(4), pp. 709-720, August, 2013   DOI
2 PEiD, 2009 (also see http://www.peid.info)
3 N.Runwal, R.M.Low and M.Stamp, "Opcode graph similarity and metamorphic detection," Journal in Computer Virology, No. 8, pp. 37-52, 2012
4 A.Khalilian, H.Golbaghi, A.Nourazar, H.Haghighi and M.V.Asl,"MetaSPD: Metamorphic Analysis for Automatic Software Piracy Detection," Computer and Knowledge Engineering (ICCKE), 2016 6th International Conference on IEEE, pp. 123-128, 2016
5 C.Collberg, C.Thomborson, and D. Low, "A taxonomy of obfuscating transformations," Department of Computer Science, The University of Auckland, New Zealand, 1997
6 Microsoft, Microsoft Security Intelligence Report Volume 20, (also see https://www.microsoft.com/security/sir/default.aspx)
7 NSHC, 6.25 Cyber terror Analysis Report (also see training.nshc.net/KOR/Document/isac/)
8 FireEye, FireEye Analysis Report:6.25 Cyber Attack (also see http://www.concert.or.kr/issue/qna_view.php?wr_id=18542&page=2)
9 AhnLab, AhnLab Analysis Report: Trend of Inftastructure Attacks (also see http://www.ahnlab.com/kr/site/securityinfo/secunews/secuNewsView.do?seq=25074)
10 Sang-Gi Kim, "Game-specific dump analysis system," Nexon Developers Conference(also see http://ndcreplay.nexon.com/NDC2016/sessions/NDC2016_0049.html#c=NDC2016&t%5B%5D=%ED%94%84%EB%A1%9C%EA%B7%B8%EB%9E%98%EB%B0%8D6)
11 Oreans Technologies, Themida, Advanced Windows Software Protection System, Revision 2.4, May 2016(also see http://www.oreans.com/themida.php)
12 C.K.Luk, R.Cohn, R.Muth, H.Patil, A.Klauser, G.Lowney, S.Wallace, V.J.Reddi, and K.Hazelwood, "Pin: Building Customized Program Analysis Tools with Dynamic Instrumentation," Acm sigplan notices, Vol. 40 , No. 6, pp. 190-200, 2005   DOI
13 LCF-AT, "Themida+WinLicense 2.x (Unpacking)," Jul. 2013 (also see https://tuts4you.com/download.php?view.3495)
14 Min-Gyung Kang, P.Poosankam and H.Yin, "Renovo: A hidden code extractor for packed executables," Proceedings of the 2007 ACM workshop on Recurring malcode. ACM, pp. 46-53, 2007
15 LCF-AT, "Themida+WinLicense 2.x (Ultra Unpacker v1.4)", Jan. 2014 (also see http://tuts4you.com/download.php?view.3526)
16 Seong-Kyun Mok, Hyeon-gu Jeon and Eun-Sun Cho, "Program Slicing for Binary code Deobfuscation," Journal of the Korea Institute of Information Security & Cryptology, 27(1), pp. 59-66, 2017   DOI
17 B.Yadegari, B.Johannesmeyer, B.Whitely and S.Debray, "A generic approach to automatic deobfuscation of executable code," IEEE Symposium on Security and Privacy, pp. 674-691, 2015
18 Jae-hwi Lee, Jae-hyeok Han, Min-wook Lee, Jae-mun Choi, Hyun-woo Baek and Sang-jin Lee, "A Study on API Wrapping in Themida and Unpacking Technique," Journal of the Korea Institute of Information Security & Cryptology, 27(1), pp. 67-77, Feb, 2017   DOI