• Title/Summary/Keyword: 가상화를 이용한 난독화

Search Result 6, Processing Time 0.021 seconds

Control Flow Reconstruction from Virtualization-Obfuscated Binaries (가상화를 이용하여 난독화된 바이너리의 제어 흐름 재건)

  • Hwang, Joonhyung;Han, Taisook
    • Journal of KIISE
    • /
    • v.42 no.1
    • /
    • pp.44-53
    • /
    • 2015
  • Control flow information is useful in the analysis and comparison of programs. Virtualization-obfuscation hides control structures of the original program by transforming machine instructions into bytecode. Direct examination of the resulting binary reveals only the structure of the interpreter. Recovery of the original instructions requires knowledge of the virtual machine architecture, which is randomly generated and hidden. In this paper, we propose a method to reconstruct original control flow using only traces generated from the obfuscated binary. We consider traces as strings and find an automaton that represents the strings. State transitions in the automaton correspond to the control transfers in the original program. We have shown the effectiveness of our method with commercial obfuscators.

A Dynamic Approach to Extract the Original Semantics and Structure of VM-based Obfuscated Binary Executables (가상 머신 기반으로 난독화된 실행파일의 구조 및 원본의미 추출 동적 방법)

  • Lee, Sungho;Han, Taisook
    • Journal of KIISE
    • /
    • v.41 no.10
    • /
    • pp.859-869
    • /
    • 2014
  • In recent years, the obfuscation techniques are commonly exploited to protect malwares, so obfuscated malwares have become a big threat. Especially, it is extremely hard to analyze virtualization-obfuscated malwares based on unusual virtual machines, because the original program is hidden by the virtual machine as well as its semantics is mixed with the semantics of the virtual machine. To confront this threat, we suggest a framework to analyze virtualization-obfuscated programs based on the dynamic analysis. First, we extract the dynamic execution trace of the virtualization-obfuscated executables. Second, we analyze the traces by translating machine instruction sequences into the intermediate representation and extract the virtual machine architecture by constructing dynamic context flow graphs. Finally, we extract abstract semantics of the original program using the extracted virtual machine architecture. In this paper, we propose a method to extract the information of the original program from a virtualization-obfuscated program by some commercial obfuscation tools. We expect that our tool can be used to understand virtualization-obfuscated programs and integrate other program analysis techniques so that it can be applied to analysis of the semantics of original programs using the abstract semantics.

An Effective Java Obfuscation Technique Using Assignment Statements Merging (대입문 병합을 이용한 효율적인 자바 난독화 기법)

  • Lee, Kyong-Ho;Park, Hee-Wan
    • Journal of the Korea Society of Computer and Information
    • /
    • v.18 no.10
    • /
    • pp.129-139
    • /
    • 2013
  • Java bytecodes are executed not on target machine but on the Java virtual machines. Since this bytecodes use a higher level representation than binary code, it is possible to decompile most bytecodes back to Java source. Obfuscation is the technique of obscuring code and it makes program difficult to understand. However, most of the obfuscation techniques make the code size and the performance of obfuscated program bigger and slower than original program. In this paper, we proposed an effective Java obfuscation techniques using assignment statements merging that make the source program difficult to understand. The basic approach is to merge assignments statements to append side effects of statement. An additional benefit is that the size of the bytecode is reduced.

A Study on the Java Decompilation-Preventive Method by Obfuscating Algorithm (난독화 알고리즘을 이용한 자바 역컴파일 방지기법에 관한 연구)

  • Ahn, Hwa-Su
    • Proceedings of the Korea Information Processing Society Conference
    • /
    • 2007.05a
    • /
    • pp.1457-1458
    • /
    • 2007
  • 자바 언어의 중요한 특징 중의 하나는 어떤 기계에서든지 실행될 수 있다는 점이다. 이러한 플랫폼에 대한 독립성은 자바 프로그램이 바이트 코드 형태로 배포되기 때문에 가능한 일이다. 바이트 코드는 특정 기계에 종속되지 않고 자바 가상 머신(Java Virtual Machine:JVM)를 지원하는 곳이면 어디에서든지 실행 가능하다. 그런데 바이트 코드로 번역된 코드에는 자바 소스 코드의 정보가 그대로 포함되어 있는데, 이로 인해서 바이트 코드에서 자바 소스코드로의 역컴파일(Decompilation)이 쉽게 이루어진다는 취약점이 있다. 본 논문에서는 자바 바이트 코드의 난독화 기법을 살펴보고, Code Encryption Algorithm을 이용해서 역컴파일 하기 어려운 형태로 만드는 기술인 코드 난독처리(Code Obfuscation) 기법을 제안하였다.

Analysis of Anti-Reversing Functionalities of VMProtect and Bypass Method Using Pin (VMProtect의 역공학 방해 기능 분석 및 Pin을 이용한 우회 방안)

  • Park, Seongwoo;Park, Yongsu
    • KIPS Transactions on Computer and Communication Systems
    • /
    • v.10 no.11
    • /
    • pp.297-304
    • /
    • 2021
  • Commercial obfuscation tools (protectors) aim to create difficulties in analyzing the operation process of software by applying obfuscation techniques and Anti-reversing techniques that delay and interrupt the analysis of programs in software reverse engineering process. In particular, in case of virtualization detection and anti-debugging functions, the analysis tool exits the normal execution flow and terminates the program. In this paper, we analyze Anti-reversing techniques of executables with Debugger Detection and Viralization Tools Detection options through VMProtect 3.5.0, one of the commercial obfuscation tools (protector), and address bypass methods using Pin. In addition, we predicted the location of the applied obfuscation technique by finding out a specific program termination routine through API analysis since there is a problem that the program is terminated by the Anti-VM technology and the Anti-DBI technology and drew up the algorithm flowchart for bypassing the Anti-reversing techniques. Considering compatibility problems and changes in techniques from differences in versions of the software used in experiment, it was confirmed that the bypass was successful by writing the pin automation bypass code in the latest version of the software (VMProtect, Windows, Pin) and conducting the experiment. By improving the proposed analysis method, it is possible to analyze the Anti-reversing method of the obfuscation tool for which the method is not presented so far and find a bypass method.

A Classification Method for Executable Files based on Comparison of Undocumented Information in the PE Header (실행파일 헤더내 문서화되지 않은 정보의 비교를 통한 실행파일 분류 방법)

  • Kim, Jung-Sun;Kang, Jung-Min;Kim, Kang-San;Shin, Wook
    • KIPS Transactions on Computer and Communication Systems
    • /
    • v.2 no.1
    • /
    • pp.43-50
    • /
    • 2013
  • File identification and analysis is an important process of computer forensics, since the process determines which subjects are necessary to be collected and analyzed as digital evidence. An efficient file classification aids in the file identification, especially in case of copyright infringement where we often have huge amounts of files. A lot of file classification methods have been proposed by far, but they have mostly focused on classifying malicious behaviors based on known information. In copyright infringement cases, we need a different approach since our subject includes not only malicious codes, but also vast number of normal files. In this paper, we propose an efficient file classification method that relies on undocumented information in the header of the PE format files. Out method is useful in copyright infringement cases, being applied to any sort of PE format executable file whether the file is malicious, packed, mutated, transformed, virtualized, obfuscated, or not.