Automatic Reverse Engineering of Script Engine Binaries for Building Script API Tracers-Reference-Cited by-同舟云学术

Automatic Reverse Engineering of Script Engine Binaries for Building Script API Tracers

Published:2021-03 Issue:1 Volume:2 Page:1-31
ISSN:2692-1626
Container-title:Digital Threats: Research and Practice
language:en
Short-container-title:Digital Threats: Research and Practice

Author:

Usui Toshinori¹,Otsuki Yuto²,Ikuse Tomonori²,Kawakoya Yuhei²,Iwamura Makoto²,Miyoshi Jun²,Matsuura Kanta³

Affiliation:

1. NTT Secure Platform Laboratories/Institute of Industrial Science, The University of Tokyo, Tokyo, Japan

2. NTT Secure Platform Laboratories, Japan

3. Institute of Industrial Science, The University of Tokyo, Tokyo, Japan

Abstract

Script languages are designed to be easy-to-use and require low learning costs. These features provide attackers options to choose a script language for developing their malicious scripts. This diversity of choice in the attacker side unexpectedly imposes a significant cost on the preparation for analysis tools in the defense side. That is, we have to prepare for multiple script languages to analyze malicious scripts written in them. We call this unbalanced cost for script languages asymmetry problem . To solve this problem, we propose a method for automatically detecting the hook and tap points in a script engine binary that is essential for building a script Application Programming Interface (API) tracer. Our method allows us to reduce the cost of reverse engineering of a script engine binary, which is the largest portion of the development of a script API tracer, and build a script API tracer for a script language with minimum manual intervention. This advantage results in solving the asymmetry problem. The experimental results showed that our method generated the script API tracers for the three script languages popular among attackers (Visual Basic for Applications (VBA), Microsoft Visual Basic Scripting Edition (VBScript), and PowerShell). The results also demonstrated that these script API tracers successfully analyzed real-world malicious scripts.

Funder

Japan Society for the Promotion of Science

Publisher

Association for Computing Machinery (ACM)

Subject

General Medicine

Link

https://dl.acm.org/doi/pdf/10.1145/3416126

Reference56 articles.

1. VirusTotal. [n.d.]. Retrieved March 9 2017 from https://www.virustotal.com VirusTotal. [n.d.]. Retrieved March 9 2017 from https://www.virustotal.com

2. JSand

3. A Heuristic-Based Approach to Identify Concepts in Execution Traces

4. The Dependable Systems Lab at EPFL in Lausanne. [n.d.]. Chef. Retrieved January 1 2018 from https://github.com/S2E/s2e-old/tree/chef. The Dependable Systems Lab at EPFL in Lausanne. [n.d.]. Chef. Retrieved January 1 2018 from https://github.com/S2E/s2e-old/tree/chef.

5. Rohitab Batra. [n.d.]. API Monitor. Retrieved February 15 2019 from http://www.rohitab.com/apimonitor. Rohitab Batra. [n.d.]. API Monitor. Retrieved February 15 2019 from http://www.rohitab.com/apimonitor.