Browse > Article
http://dx.doi.org/10.13089/JKIISC.2020.30.4.605

VMProtect Operation Principle Analysis and Automatic Deobfuscation Implementation  

Bang, Cheol-ho (Korea University)
Suk, Jae Hyuk (Korea University)
Lee, Sang-jin (Korea University)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.30, no.4, 2020 , pp. 605-616 More about this Journal
Abstract
Obfuscation technology delays the analysis of a program by modifying internal logic such as data structure and control flow while maintaining the program's functionality. However, the application of such obfuscation technology to malicious code frequently occurs to reduce the detection rate of malware in antivirus software. The obfuscation technology applied to protect software intellectual property is applied to the malicious code in reverse, which not only lowers the detection rate of the malicious code but also makes it difficult to analyze and thus makes it difficult to identify the functionality of the malicious code. The study of reverse obfuscation techniques that can be closely restored should also continue. This paper analyzes the characteristics of obfuscated code with the option of Pack the Output File and Import Protection among detailed obfuscation technologies provided by VMProtect 3.4.0, a popular tool among commercial obfuscation tools. We present a de-obfuscation algorithm.
Keywords
Digital Forensic; Code De-obfuscation; VMProtect; Packer; Protector;
Citations & Related Records
Times Cited By KSCI : 6  (Citation Analysis)
연도 인용수 순위
1 C.Collberg, C.Thomborson, and D. Low, "A taxonomy of obfuscating transformations," Department of Computer Science, The University of Auckland, New Zealand, 1997.
2 Gyeong-Ryul Lee, Heong-Jun Yuk, Gang-Bin Im, Il-Seon Yu, "Trends in obfuscation technology for software security." Communications of the Korean Institute of Information Scientists and Engineers. 34(1):22-27. 2016.
3 LCF-AT, "Themida+WinLicense 2.x (Unpacking)," Jul. 2013 (also see https://tuts4you.com/download.php?view.3495)
4 LCF-AT, "Themida+WinLicense 2.x (Ultra Unpacker v1.4)", Jan. 2014. (also see http://tuts4you.com/download.php?view.3526)
5 Seong-Kyun Mok, Hyeon-gu Jeon and Eun-Sun Cho, "Program Slicing for Binary code Deobfuscation," Journal of the Korea Institute of Information Security & Cryptology, 27(1), pp. 59-66, 2017.   DOI
6 B.Yadegari, B.Johannesmeyer, B.Whitely and S.Debray, "A generic approach to automatic deobfuscation of executable code," IEEE Symposium on Security and Privacy, pp. 674-691, 2015.
7 Min-Gyung Kang, P.Poosankam and H.Yin, "Renovo: A hidden code extract or for packed executables," Proceedings of the 2007 ACM workshop on Recurring malcode. ACM, pp. 46-53, 2007.
8 Jae-hwi Lee, Jae-hyeok Han, Min-wook Lee, Jae-mun Choi, Hyun-woo Baek and Sang-jin Lee, "A Study on API Wrapping in Themida and Unpacking Technique," Journal of the Korea Institute of Information Security & Cryptology, 27(1), pp. 67-77, Feb, 2017.   DOI
9 https://www.fireeye.com/blog/threat-research/2019/10/lowkey-hunting-for-the-missing-volume-serial-id.html
10 Jae-hwi Lee, Byung-hee Lee, Sang-hyun Cho. "A Study on the Analysis Method to API Wrapping that Difficult to Normalize in the Latest Version of Themida." Journals of the Korea Institute Of Information Security And Cryptology, 29(6), 1375-1382, 2019.
11 https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Winnti.pdf
12 Soon-Gohn Kim. "Code Automatic Analysis Technique for Virtualization-based Obfuscation and Deobfuscation", Journal of Korea Institute of Information, Electronics, and Communication Technology, 11(6), 724-731, 2018.   DOI
13 Pin: Chi-Keung Luk Robert Cohn Robert Muth Harish Patil Artur Klauser Geoff Lowney Steven Wallace Vijay Janapa Reddi Kim Hazelwood, Building Customized Program Analysis Tools with Dynamic Instrumentation, page 190-192.
14 You-jin Kang, Moon Chan Park, Dong Hoon Lee. "Implementation of the Automated De-Obfuscation Tool to Restore Working Executable." Journals of the Korea Institute Of Information Security And Cryptology, 27(4), 785-802, 2017.