Preview

User

Not a user? Register with this site Forgot your password?

Proceedings of the Institute for System Programming of the RAS (Proceedings of ISP RAS)

Advanced search

Software deobfuscation methods: analysis and implementation

Abstract

This paper describes the work on development of the deobfuscation software. The main target of the developed software is the analysis of the obfuscated malware code. The need of this analysis comes from the obfuscation techniques being widely used for protecting implementations. The regular disassembly tool mostly used by an analyst transforms a binary code in a human-readable form but doesn’t simplify the result or verify its correctness. Earlier for this task it was enough to apply pattern-matching cleanup of the inserted useless garbage code, but nowadays obfuscation techniques are getting more complicated thus requiring more complex methods of code analysis and simplification. 

As deobfuscation methods require analysis and transformation algorithms similar to those of an optimizing compiler, we have evaluated using LLVM compiler infrastructure as a basis for deobfuscation software. The difference from the compiler is that the deobfuscation algorithms do not have the full information about the program being analyzed, but rather a small part of it. The evaluation results show that using LLVM directly does not remove all the artifacts from the obfuscated code, so to provide the cleaner output it is desirable to develop an independent tool. Nevertheless, using LLVM or similar compiler infrastructure is the feasible approach for developing deobfuscation software.

About the Authors

Sh. F. Kurmangaleev
ISP RAS, Moscow
Russian Federation


K. Y. Dolgorukova
ISP RAS, Moscow
Russian Federation


V. V. Savchenko
ISP RAS, Moscow
Russian Federation


A. R. Nurmukhametov
ISP RAS, Moscow
Russian Federation


H. A. Matevosyan
ISP RAS, Moscow
Russian Federation


V. P. Korchagin
ISP RAS, Moscow
Russian Federation


References

1. А.V. Chernov. Аnaliz zaputyvayushhikh preobrazovanij programm. [Analysis obfuscating program transformations] Trudy ISP RАN [The Proceedings of ISP RAS], 2002, vol.3, pp. 7-38 (in Russian).

2. Reverse Compilation Techniques By Cristina Cifuentes http://www.itee.uq.edu.au/~cristina/dcc/decompilation_thesis.ps.gz

3. Alfred V. Aho, Monica S. Lam, Ravi Sethi, and Jeffrey D. Ullman. 2006. Compilers: Principles, Techniques, and Tools (2nd Edition). Addison-Wesley Longman Publishing Co., Inc., Boston, MA, USA. ISBN:0321486811

4. LLVM Language Reference Manual http://LLVM.org/docs/LangRef.html

5. Using Code Normalization for Fighting Self-Mutating Malware Danilo Bruschi, Lorenzo Martignoni, Mattia Monga http://idea.sec.dico.unimi.it/~lorenzo/rt0806.pdf

6. John R Flex & bison. 1st edition, 304p. Levine Published by O’Reilly Media, Inc., 1005 Gravenstein Highway North, Sebastopol, CA 95472. ISBN: 978-0-596-15597-1

7. BOOST C++ http://www.solarix.ru/for_developers/cpp/boost/boost-library.shtmlc

8. Jeremy G. Siek; Lie-Quan Lee; Andrew Lumsdaine. The Boost Graph Library: User Guide and Reference Manual. Addison-Wesley Longman Publishing Co., Inc. Boston, MA, USA ©2002 ISBN:0-201-72914-8

9. Using Graphviz as a library http://www.graphviz.org/pdf/libguide.pdf


Review

For citations:

Kurmangaleev Sh.F., Dolgorukova K.Y., Savchenko V.V., Nurmukhametov A.R., Matevosyan H.A., Korchagin V.P. Software deobfuscation methods: analysis and implementation. Proceedings of the Institute for System Programming of the RAS (Proceedings of ISP RAS). 2013;24. (In Russ.)



Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 License.


ISSN 2079-8156 (Print)
ISSN 2220-6426 (Online)

109004, Alexander Solzhenitsyn st., 25., Moscow, Russian Federation
Institute for System Programming of the RAS
tel.: +7(495) 912-44-25,
e-mail: proceedings@ispras.ru

Processing of personal data
supported by NEICON (Elpub lab)