Affiliation:
1. Graduate School of Software, Soongsil University, Seoul 06978, Republic of Korea
Abstract
Original Entry Point (OEP) and API obfuscation techniques greatly hinder the analysis of malware. Contemporary packers, employing these sophisticated obfuscation strategies, continue to pose unresolved challenges, despite extensive research efforts. Recent studies, like API-Xray, have mainly concentrated on rebuilding obfuscated import tables in malware, but research into OEP obfuscation is still limited. As a solution, we present Pinicorn, an automated dynamic de-obfuscation system designed to tackle these complexities. Pinicorn bypasses packers’ anti-analysis techniques and retrieves the original program from memory. It is specifically designed to detect and analyze trampoline codes within both OEP and the import table. Our evaluation shows that Pinicorn successfully deobfuscates programs hidden by three different packers, confirming its effectiveness through a comparative analysis with their original versions. Furthermore, we conducted experiments on malware obfuscated by Themida and VMProtect, analyzing the obfuscation techniques and successfully de-obfuscating them to validate the effectiveness of our approach.
Funder
Institute of Information & Communications Technology Planning & Evaluation
Reference34 articles.
1. (2023, April 01). AV-TEST—The Independent IT-Security Institute. Malware Statistics and Trends Report. Available online: https://www.av-test.org/en/statistics/malware.
2. FireEye (2023, April 01). M-Trends 2020 Report. Available online: https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf.
3. FireEye (2023, April 01). M-Trends 2021 Report. Available online: https://services.google.com/fh/files/misc/rpt-mtrends-2021-en.pdf.
4. FireEye (2023, April 01). M-Trends 2022 Report. Available online: https://services.google.com/fh/files/misc/m-trends-report-2022-en.pdf.
5. UnThemida: Commercial obfuscation technique analysis with a fully obfuscated program;Suk;Softw. Pract. Exp.,2018
Cited by
1 articles.
订阅此论文施引文献
订阅此论文施引文献,注册后可以免费订阅5篇论文的施引文献,订阅后可以查看论文全部施引文献