UnThemida: Commercial obfuscation technique analysis with a fully obfuscated program

UnThemida: Commercial obfuscation technique analysis with a fully obfuscated program

Summary The main goal of code obfuscation is to make software more difficult to reverse engineer. These techniques modify data structures and control flow while retaining the functionality of the original program. Although obfuscation is a useful method for protecting programs, it can also be used t...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Veröffentlicht in:Software, practice & experience practice & experience, 2018-12, Vol.48 (12), p.2331-2349
Hauptverfasser: Suk, Jae Hyuk, Lee, Jae‐Yung, Jin, Hongjoo, Kim, In Seok, Lee, Dong Hoon
Format: Artikel
Sprache:eng
Schlagworte:
Anti-virus software
Data structures
debugging
Feature extraction
Malware
packer
reverse engineering
Software
software implementation
software protection
Online-Zugang:Volltext
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
container_end_page 2349
container_issue 12
container_start_page 2331
container_title Software, practice & experience
container_volume 48
creator Suk, Jae Hyuk
Lee, Jae‐Yung
Jin, Hongjoo
Kim, In Seok
Lee, Dong Hoon
description Summary The main goal of code obfuscation is to make software more difficult to reverse engineer. These techniques modify data structures and control flow while retaining the functionality of the original program. Although obfuscation is a useful method for protecting programs, it can also be used to protect malware. This raises concerns that malware could use code obfuscation to avoid detection by antivirus software. It is very difficult to analyze the functionality of obfuscated malware before it has been deobfuscated. Furthermore, commercial obfuscation tools allow malware authors to apply multiple obfuscation options simultaneously, and current deobfuscation techniques cannot handle this situation. In this study, we analyzed a well‐known commercial obfuscation tool called Themida. We applied its many obfuscation options to a program and implemented a tool to recover the original code and data. We extracted features from obfuscated programs and analyzed their control flow. Our tool is based on these features and the control flow patterns and can identify whether Themida has been applied to the program and which obfuscation options have been used. Finally, we suggested a method for recovering the import address table of programs by using dynamic binary instrumentation. The proposed rules and algorithms can almost completely recover the APIs of programs even though they are hidden by obfuscation options provided by Themida.
doi_str_mv 10.1002/spe.2622
format Article
fullrecord <record><control><sourceid>proquest_cross</sourceid><recordid>TN_cdi_proquest_journals_2130075934</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><sourcerecordid>2130075934</sourcerecordid><originalsourceid>FETCH-LOGICAL-c2932-4bcdcdeb4c390eca4e83857a35bf702a51fb3745a383607e7ebcc1caf655c0d93</originalsourceid><addsrcrecordid>eNp10EtLAzEUBeAgCtYq-BMCbtxMvXlNZtxJqQ8oKNiCu5DJJDZlHjWZocy_d2rFnau7-bjncBC6JjAjAPQu7uyMppSeoAmBXCZA-ccpmgCwLIGU83N0EeMWgBBB0wlarZvVxta-1Pd43ta1DcbrCreF66PRnW8b3FmzafxXb7FudDVEH_HedxusseuraviztsS70H4GXV-iM6eraK9-7xStHxer-XOyfH16mT8sE0NzRhNemNKUtuCG5WCN5jZjmZCaicJJoFoQVzDJhWYZS0FaaQtjiNEuFcJAmbMpujn-HXPHfrFT27YPY8moKGEAUuSMj-r2qExoYwzWqV3wtQ6DIqAOm6lxM3XYbKTJke59ZYd_nXp_W_z4b_6Qbok</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>2130075934</pqid></control><display><type>article</type><title>UnThemida: Commercial obfuscation technique analysis with a fully obfuscated program</title><source>Access via Wiley Online Library</source><creator>Suk, Jae Hyuk ; Lee, Jae‐Yung ; Jin, Hongjoo ; Kim, In Seok ; Lee, Dong Hoon</creator><creatorcontrib>Suk, Jae Hyuk ; Lee, Jae‐Yung ; Jin, Hongjoo ; Kim, In Seok ; Lee, Dong Hoon</creatorcontrib><description>Summary The main goal of code obfuscation is to make software more difficult to reverse engineer. These techniques modify data structures and control flow while retaining the functionality of the original program. Although obfuscation is a useful method for protecting programs, it can also be used to protect malware. This raises concerns that malware could use code obfuscation to avoid detection by antivirus software. It is very difficult to analyze the functionality of obfuscated malware before it has been deobfuscated. Furthermore, commercial obfuscation tools allow malware authors to apply multiple obfuscation options simultaneously, and current deobfuscation techniques cannot handle this situation. In this study, we analyzed a well‐known commercial obfuscation tool called Themida. We applied its many obfuscation options to a program and implemented a tool to recover the original code and data. We extracted features from obfuscated programs and analyzed their control flow. Our tool is based on these features and the control flow patterns and can identify whether Themida has been applied to the program and which obfuscation options have been used. Finally, we suggested a method for recovering the import address table of programs by using dynamic binary instrumentation. The proposed rules and algorithms can almost completely recover the APIs of programs even though they are hidden by obfuscation options provided by Themida.</description><identifier>ISSN: 0038-0644</identifier><identifier>EISSN: 1097-024X</identifier><identifier>DOI: 10.1002/spe.2622</identifier><language>eng</language><publisher>Bognor Regis: Wiley Subscription Services, Inc</publisher><subject>Anti-virus software ; Data structures ; debugging ; Feature extraction ; Malware ; packer ; reverse engineering ; Software ; software implementation ; software protection</subject><ispartof>Software, practice &amp; experience, 2018-12, Vol.48 (12), p.2331-2349</ispartof><rights>2018 John Wiley &amp; Sons, Ltd.</rights><lds50>peer_reviewed</lds50><woscitedreferencessubscribed>false</woscitedreferencessubscribed><citedby>FETCH-LOGICAL-c2932-4bcdcdeb4c390eca4e83857a35bf702a51fb3745a383607e7ebcc1caf655c0d93</citedby><cites>FETCH-LOGICAL-c2932-4bcdcdeb4c390eca4e83857a35bf702a51fb3745a383607e7ebcc1caf655c0d93</cites><orcidid>0000-0002-2466-1503</orcidid></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktopdf>$$Uhttps://onlinelibrary.wiley.com/doi/pdf/10.1002%2Fspe.2622$$EPDF$$P50$$Gwiley$$H</linktopdf><linktohtml>$$Uhttps://onlinelibrary.wiley.com/doi/full/10.1002%2Fspe.2622$$EHTML$$P50$$Gwiley$$H</linktohtml><link.rule.ids>314,780,784,1417,27924,27925,45574,45575</link.rule.ids></links><search><creatorcontrib>Suk, Jae Hyuk</creatorcontrib><creatorcontrib>Lee, Jae‐Yung</creatorcontrib><creatorcontrib>Jin, Hongjoo</creatorcontrib><creatorcontrib>Kim, In Seok</creatorcontrib><creatorcontrib>Lee, Dong Hoon</creatorcontrib><title>UnThemida: Commercial obfuscation technique analysis with a fully obfuscated program</title><title>Software, practice &amp; experience</title><description>Summary The main goal of code obfuscation is to make software more difficult to reverse engineer. These techniques modify data structures and control flow while retaining the functionality of the original program. Although obfuscation is a useful method for protecting programs, it can also be used to protect malware. This raises concerns that malware could use code obfuscation to avoid detection by antivirus software. It is very difficult to analyze the functionality of obfuscated malware before it has been deobfuscated. Furthermore, commercial obfuscation tools allow malware authors to apply multiple obfuscation options simultaneously, and current deobfuscation techniques cannot handle this situation. In this study, we analyzed a well‐known commercial obfuscation tool called Themida. We applied its many obfuscation options to a program and implemented a tool to recover the original code and data. We extracted features from obfuscated programs and analyzed their control flow. Our tool is based on these features and the control flow patterns and can identify whether Themida has been applied to the program and which obfuscation options have been used. Finally, we suggested a method for recovering the import address table of programs by using dynamic binary instrumentation. The proposed rules and algorithms can almost completely recover the APIs of programs even though they are hidden by obfuscation options provided by Themida.</description><subject>Anti-virus software</subject><subject>Data structures</subject><subject>debugging</subject><subject>Feature extraction</subject><subject>Malware</subject><subject>packer</subject><subject>reverse engineering</subject><subject>Software</subject><subject>software implementation</subject><subject>software protection</subject><issn>0038-0644</issn><issn>1097-024X</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2018</creationdate><recordtype>article</recordtype><recordid>eNp10EtLAzEUBeAgCtYq-BMCbtxMvXlNZtxJqQ8oKNiCu5DJJDZlHjWZocy_d2rFnau7-bjncBC6JjAjAPQu7uyMppSeoAmBXCZA-ccpmgCwLIGU83N0EeMWgBBB0wlarZvVxta-1Pd43ta1DcbrCreF66PRnW8b3FmzafxXb7FudDVEH_HedxusseuraviztsS70H4GXV-iM6eraK9-7xStHxer-XOyfH16mT8sE0NzRhNemNKUtuCG5WCN5jZjmZCaicJJoFoQVzDJhWYZS0FaaQtjiNEuFcJAmbMpujn-HXPHfrFT27YPY8moKGEAUuSMj-r2qExoYwzWqV3wtQ6DIqAOm6lxM3XYbKTJke59ZYd_nXp_W_z4b_6Qbok</recordid><startdate>201812</startdate><enddate>201812</enddate><creator>Suk, Jae Hyuk</creator><creator>Lee, Jae‐Yung</creator><creator>Jin, Hongjoo</creator><creator>Kim, In Seok</creator><creator>Lee, Dong Hoon</creator><general>Wiley Subscription Services, Inc</general><scope>AAYXX</scope><scope>CITATION</scope><scope>7SC</scope><scope>8FD</scope><scope>F28</scope><scope>FR3</scope><scope>JQ2</scope><scope>L7M</scope><scope>L~C</scope><scope>L~D</scope><orcidid>https://orcid.org/0000-0002-2466-1503</orcidid></search><sort><creationdate>201812</creationdate><title>UnThemida: Commercial obfuscation technique analysis with a fully obfuscated program</title><author>Suk, Jae Hyuk ; Lee, Jae‐Yung ; Jin, Hongjoo ; Kim, In Seok ; Lee, Dong Hoon</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c2932-4bcdcdeb4c390eca4e83857a35bf702a51fb3745a383607e7ebcc1caf655c0d93</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2018</creationdate><topic>Anti-virus software</topic><topic>Data structures</topic><topic>debugging</topic><topic>Feature extraction</topic><topic>Malware</topic><topic>packer</topic><topic>reverse engineering</topic><topic>Software</topic><topic>software implementation</topic><topic>software protection</topic><toplevel>peer_reviewed</toplevel><toplevel>online_resources</toplevel><creatorcontrib>Suk, Jae Hyuk</creatorcontrib><creatorcontrib>Lee, Jae‐Yung</creatorcontrib><creatorcontrib>Jin, Hongjoo</creatorcontrib><creatorcontrib>Kim, In Seok</creatorcontrib><creatorcontrib>Lee, Dong Hoon</creatorcontrib><collection>CrossRef</collection><collection>Computer and Information Systems Abstracts</collection><collection>Technology Research Database</collection><collection>ANTE: Abstracts in New Technology &amp; Engineering</collection><collection>Engineering Research Database</collection><collection>ProQuest Computer Science Collection</collection><collection>Advanced Technologies Database with Aerospace</collection><collection>Computer and Information Systems Abstracts – Academic</collection><collection>Computer and Information Systems Abstracts Professional</collection><jtitle>Software, practice &amp; experience</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext</fulltext></delivery><addata><au>Suk, Jae Hyuk</au><au>Lee, Jae‐Yung</au><au>Jin, Hongjoo</au><au>Kim, In Seok</au><au>Lee, Dong Hoon</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>UnThemida: Commercial obfuscation technique analysis with a fully obfuscated program</atitle><jtitle>Software, practice &amp; experience</jtitle><date>2018-12</date><risdate>2018</risdate><volume>48</volume><issue>12</issue><spage>2331</spage><epage>2349</epage><pages>2331-2349</pages><issn>0038-0644</issn><eissn>1097-024X</eissn><abstract>Summary The main goal of code obfuscation is to make software more difficult to reverse engineer. These techniques modify data structures and control flow while retaining the functionality of the original program. Although obfuscation is a useful method for protecting programs, it can also be used to protect malware. This raises concerns that malware could use code obfuscation to avoid detection by antivirus software. It is very difficult to analyze the functionality of obfuscated malware before it has been deobfuscated. Furthermore, commercial obfuscation tools allow malware authors to apply multiple obfuscation options simultaneously, and current deobfuscation techniques cannot handle this situation. In this study, we analyzed a well‐known commercial obfuscation tool called Themida. We applied its many obfuscation options to a program and implemented a tool to recover the original code and data. We extracted features from obfuscated programs and analyzed their control flow. Our tool is based on these features and the control flow patterns and can identify whether Themida has been applied to the program and which obfuscation options have been used. Finally, we suggested a method for recovering the import address table of programs by using dynamic binary instrumentation. The proposed rules and algorithms can almost completely recover the APIs of programs even though they are hidden by obfuscation options provided by Themida.</abstract><cop>Bognor Regis</cop><pub>Wiley Subscription Services, Inc</pub><doi>10.1002/spe.2622</doi><tpages>19</tpages><orcidid>https://orcid.org/0000-0002-2466-1503</orcidid></addata></record>
fulltext fulltext
identifier ISSN: 0038-0644
ispartof Software, practice & experience, 2018-12, Vol.48 (12), p.2331-2349
issn 0038-0644
1097-024X
language eng
recordid cdi_proquest_journals_2130075934
source Access via Wiley Online Library
subjects Anti-virus software
Data structures
debugging
Feature extraction
Malware
packer
reverse engineering
Software
software implementation
software protection
title UnThemida: Commercial obfuscation technique analysis with a fully obfuscated program
url https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2024-12-19T02%3A59%3A10IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest_cross&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=UnThemida:%20Commercial%20obfuscation%20technique%20analysis%20with%20a%20fully%20obfuscated%20program&rft.jtitle=Software,%20practice%20&%20experience&rft.au=Suk,%20Jae%20Hyuk&rft.date=2018-12&rft.volume=48&rft.issue=12&rft.spage=2331&rft.epage=2349&rft.pages=2331-2349&rft.issn=0038-0644&rft.eissn=1097-024X&rft_id=info:doi/10.1002/spe.2622&rft_dat=%3Cproquest_cross%3E2130075934%3C/proquest_cross%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_pqid=2130075934&rft_id=info:pmid/&rfr_iscdi=true