Research And Implementation Of Semantics-based Approach For Binary Code De-obfuscation

Obfuscation techniques are always adopted by malware to escape from malware detection, and to thwart the reverse engineering difficulty and cost of security analysts. Thus, binary code de-obfuscation that is used to remove or reduce the effect introduced by obfuscation plays a crucial role in malware analysis.Current binary code de-obfuscation approaches only target a limited set of specific obfuscations and are ineffective against new obfuscations. State-of-the-art approaches of this problem are based on dynamic analysis and face the problem of low code coverage. Thus, A semantics-based approach for binary code de-obfuscation is introduced, which can be applied to most of existing and new obfuscation techniques without any assumptions about the structure of obfuscators. The research of the semantics-based approach for binary code de-obfuscation includes the following four parts:(1) To solve the problem that current binary code de-obfuscation approaches only target a limited set of specific obfuscations, a semantically relevant instruction identification approach was introduced. This approach combines the dynamic taint analysis and control dependency analysis to capture both explicit and implicit information of the program and to identify all the instructions that are relevant to the program semantics.(2) To solve the problem of low code coverage, this paper introduces a low-cost solution for multiple execution paths exploration without any profiling information. The goal is to obtain a number of different execution paths, and each execution path reveals some special behavior that can not be observed in other execution paths. The proposed solution incurs lower overhead since the predicate search space of the program is greatly reduced through the semantically relevant instruction identification.(3) In order to more easily analyze and understand the behavior of the obfuscated program, we introduce an API de-obfuscation approach which combines memory monitoring and code injection to extract and recover the API calls hidden in the malware.(4) A prototype system of semantics-based approach for binary code de-obfuscation is implemented and upon which we give the experimental analysis and evaluation with a range of obfuscated binaries. Experiment results show that our de-obfuscation system is effective.