UnThemida: Commercial obfuscation technique analysis with a fully obfuscated program

Summary The main goal of code obfuscation is to make software more difficult to reverse engineer. These techniques modify data structures and control flow while retaining the functionality of the original program. Although obfuscation is a useful method for protecting programs, it can also be used to protect malware. This raises concerns that malware could use code obfuscation to avoid detection by antivirus software. It is very difficult to analyze the functionality of obfuscated malware before it has been deobfuscated. Furthermore, commercial obfuscation tools allow malware authors to apply multiple obfuscation options simultaneously, and current deobfuscation techniques cannot handle this situation. In this study, we analyzed a well‐known commercial obfuscation tool called Themida. We applied its many obfuscation options to a program and implemented a tool to recover the original code and data. We extracted features from obfuscated programs and analyzed their control flow. Our tool is based on these features and the control flow patterns and can identify whether Themida has been applied to the program and which obfuscation options have been used. Finally, we suggested a method for recovering the import address table of programs by using dynamic binary instrumentation. The proposed rules and algorithms can almost completely recover the APIs of programs even though they are hidden by obfuscation options provided by Themida.