UnThemida: Commercial obfuscation technique analysis with a fully obfuscated program. (18th July 2018)
- Record Type:
- Journal Article
- Title:
- UnThemida: Commercial obfuscation technique analysis with a fully obfuscated program. (18th July 2018)
- Main Title:
- UnThemida: Commercial obfuscation technique analysis with a fully obfuscated program
- Authors:
- Suk, Jae Hyuk
Lee, Jae‐Yung
Jin, Hongjoo
Kim, In Seok
Lee, Dong Hoon - Abstract:
- Summary: The main goal of code obfuscation is to make software more difficult to reverse engineer. These techniques modify data structures and control flow while retaining the functionality of the original program. Although obfuscation is a useful method for protecting programs, it can also be used to protect malware. This raises concerns that malware could use code obfuscation to avoid detection by antivirus software. It is very difficult to analyze the functionality of obfuscated malware before it has been deobfuscated. Furthermore, commercial obfuscation tools allow malware authors to apply multiple obfuscation options simultaneously, and current deobfuscation techniques cannot handle this situation. In this study, we analyzed a well‐known commercial obfuscation tool called Themida. We applied its many obfuscation options to a program and implemented a tool to recover the original code and data. We extracted features from obfuscated programs and analyzed their control flow. Our tool is based on these features and the control flow patterns and can identify whether Themida has been applied to the program and which obfuscation options have been used. Finally, we suggested a method for recovering the import address table of programs by using dynamic binary instrumentation. The proposed rules and algorithms can almost completely recover the APIs of programs even though they are hidden by obfuscation options provided by Themida.
- Is Part Of:
- Software, practice & experience. Volume 48:Number 12(2018)
- Journal:
- Software, practice & experience
- Issue:
- Volume 48:Number 12(2018)
- Issue Display:
- Volume 48, Issue 12 (2018)
- Year:
- 2018
- Volume:
- 48
- Issue:
- 12
- Issue Sort Value:
- 2018-0048-0012-0000
- Page Start:
- 2331
- Page End:
- 2349
- Publication Date:
- 2018-07-18
- Subjects:
- debugging -- packer -- reverse engineering -- software implementation -- software protection
Computer software -- Periodicals
Computer programming -- Periodicals
Computer programs -- Periodicals
005.3 - Journal URLs:
- http://onlinelibrary.wiley.com/ ↗
- DOI:
- 10.1002/spe.2622 ↗
- Languages:
- English
- ISSNs:
- 0038-0644
- Deposit Type:
- Legaldeposit
- View Content:
- Available online (eLD content is only available in our Reading Rooms) ↗
- Physical Locations:
- British Library DSC - 8321.453000
British Library DSC - BLDSS-3PM
British Library STI - ELD Digital store - Ingest File:
- 8482.xml