Article

Unpacking virtualization obfuscators

Author:

Rolf RollesAuthors Info & Claims

WOOT'09: Proceedings of the 3rd USENIX conference on Offensive technologies

Page 1

Published: 10 August 2009 Publication History

Abstract

Nearly every malware sample is sheathed in an executable protection which must be removed before static analyses can proceed. Existing research has studied automatically unpacking certain protections, but has not yet caught up with many modern techniques. Contrary to prior assumptions, protected programs do not always have the property that they are reverted to a fully unprotected state at some point during the course of their execution. This work provides a novel technique for circumventing one of the most problematic features of modern software protections, so-called virtualization obfuscation. The technique enables analysis of heretofore impenetrable malware.

References

[1]

M. G. Kang, P. Poosankam, and H. Yin. Renovo: A Hidden Code Extractor for Packed Executables. In Proc. of the 5th ACM Workshop on Recurring Malcode, 2007.

Digital Library

[2]

TEMU: The BitBlaze Dynamic Analysis Component. http://bitblaze.cs.berkeley.edu/temu.html.

[3]

F. Bellard: QEMU, a Fast and Portable Dynamic Translator. In Proceedings of the 2005 USENIX Conference, 2005.

Digital Library

[4]

Silicon Realms Toolworks. Armadillo. http://siliconrealms.com/index.shtml

[5]

Themida. http://www.oreans.com/

[6]

OllyBonE. http://www.joestewart.org/ollybone/

[7]

R. E. Rolles: Defeating HyperUnpackMe2 with an IDA Processor Module. http://www.openrce.org/articles/full_view/28

[8]

D. Quist and V. Smith: Covert Debugging: Circumventing Software Armoring Techniques. In Black Hat Briefings USA, August 2007.

[9]

P. Royal: Alternative Medicine: The Malware Analyst's Blue Pill. In Black Hat Briefings USA, August 2008.

[10]

L. Boehne: Pandora's Bochs: Automated Unpacking of Malware. Diploma thesis. January 2008.

[11]

R. N. Horspool, N. Marovac: An Approach to the Problem of Detranslation of Computer Programs. In Comput. J. 23(3): pages 223-229, 1980.

[12]

Bochs: The Open Source IA-32 Emulation Project. http://bochs.sourceforge.net/

[13]

The PaX Team. Pax. http://pax.grsecurity.net/

[14]

VMPSoft. VMProtect. http://www.vmprotect.ru/

[15]

R. E. Rolles: Compiler 1, X86 Virtualizer 0. April 4th, 2008. http://www.openrce.org/blog/view/1110/

[16]

Dealing with Virtualization Packer. In CARO Conference, Amsterdam, May 2nd, 2008.

[17]

R. E. Rolles: Unpacking VMProtect. August 6th, 2008. http://www.openrce.org/blog/view/1238/

[18]

_g_ : Fighting Oreans' VM (code virtualizer flavour). August 19th, 2008. http://www.woodmann.com/forum/showthread.php?t=12015

[19]

M. Sharif, A. Lanzi, J. Giffin, W. Lee. Automatic Reverse Engineering of Malware Emulators. In Proc. of the 30th IEEE Symposium on Security and Privacy, 2009.

Digital Library

[20]

Zynamics GmbH. http://www.zynamics.com/vxclass.html

[21]

D. Gao, M. K. Reiter and D. Song. BinHunt: Automatically Finding Semantic Differences in Binary Programs. In Proc. of the 4th International Conference on Information Systems Security, December 2008.

Digital Library

Cited By

Kawakoya YAkabane SIwamura MOkamoto T(2023)Xunpack: Cross-Architecture Unpacking for Linux IoT MalwareProceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3607199.3607214(471-484)Online publication date: 16-Oct-2023
https://dl.acm.org/doi/10.1145/3607199.3607214
Anwar MZuo CYagemann CLin Z(2023)Extracting Threat Intelligence From Cheat Binaries For Anti-CheatingProceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3607199.3607211(17-31)Online publication date: 16-Oct-2023
https://dl.acm.org/doi/10.1145/3607199.3607211
Barr-Smith FBlazytko TBaker RMartinovic ITorres-Arias SMelara MSimon L(2022)ExorcistProceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses10.1145/3560835.3564550(51-61)Online publication date: 11-Nov-2022
https://dl.acm.org/doi/10.1145/3560835.3564550
Show More Cited By

Recommendations

SoK: Automatic Deobfuscation of Virtualization-protected Applications
ARES '21: Proceedings of the 16th International Conference on Availability, Reliability and Security

Malware authors often rely on code obfuscation to hide the malicious functionality of their software, making detection and analysis more difficult. One of the most advanced techniques for binary obfuscation is virtualization-based obfuscation, which ...
Virtualisation: Virtualisation as a blackhat tool

Virtualisation has been touted as a security tool. If you virtualise a server operating system and only run one application in it, then any application that suffers from a security flaw in that operating system can't theoretically be used to infect ...
Assessment of Virtualization as a Sensor Technique
SADFE '10: Proceedings of the 2010 Fifth IEEE International Workshop on Systematic Approaches to Digital Forensic Engineering

The explosive growth of malware development and the increasing sophistication of malware behavior require thatsecurity researchers be on the lookout for new vectors of attacks. Drive-by-downloads are among the types of attacks that are onthe rise. To ...

Comments

Information & Contributors

Information

Published In

cover image Guide Proceedings

WOOT'09: Proceedings of the 3rd USENIX conference on Offensive technologies

August 2009

9 pages

Publisher

USENIX Association

United States

Publication History

Published: 10 August 2009

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

34
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 23 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Kawakoya YAkabane SIwamura MOkamoto T(2023)Xunpack: Cross-Architecture Unpacking for Linux IoT MalwareProceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3607199.3607214(471-484)Online publication date: 16-Oct-2023
https://dl.acm.org/doi/10.1145/3607199.3607214
Anwar MZuo CYagemann CLin Z(2023)Extracting Threat Intelligence From Cheat Binaries For Anti-CheatingProceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3607199.3607211(17-31)Online publication date: 16-Oct-2023
https://dl.acm.org/doi/10.1145/3607199.3607211
Barr-Smith FBlazytko TBaker RMartinovic ITorres-Arias SMelara MSimon L(2022)ExorcistProceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses10.1145/3560835.3564550(51-61)Online publication date: 11-Nov-2022
https://dl.acm.org/doi/10.1145/3560835.3564550
Kochberger PSchrittwieser SSchweighofer SKieseberg PWeippl E(2021)SoK: Automatic Deobfuscation of Virtualization-protected ApplicationsProceedings of the 16th International Conference on Availability, Reliability and Security10.1145/3465481.3465772(1-15)Online publication date: 17-Aug-2021
https://dl.acm.org/doi/10.1145/3465481.3465772
Usui TOtsuki YIkuse TKawakoya YIwamura MMiyoshi JMatsuura K(2021)Automatic Reverse Engineering of Script Engine Binaries for Building Script API TracersDigital Threats: Research and Practice10.1145/34161262:1(1-31)Online publication date: 22-Jan-2021
https://dl.acm.org/doi/10.1145/3416126
Altinay ANash JKroes TRajasekaran PZhou DDabrowski AGens DNa YVolckaert SGiuffrida CBos HFranz MBilas AMagoutis KMarkatos EKostic DSeltzer M(2020)BinRecProceedings of the Fifteenth European Conference on Computer Systems10.1145/3342195.3387550(1-16)Online publication date: 15-Apr-2020
https://dl.acm.org/doi/10.1145/3342195.3387550
Pavithran JPatnaik MRebeiro CGantman AMaurice C(2019)D-TIMEProceedings of the 13th USENIX Conference on Offensive Technologies10.5555/3359043.3359053(10-10)Online publication date: 12-Aug-2019
https://dl.acm.org/doi/10.5555/3359043.3359053
Schaad AGrohmann BWinzenried OKerschbaum FMashatan ANiu JLee A(2019)CloudProtect - A Cloud-based Software Protection ServiceProceedings of the 24th ACM Symposium on Access Control Models and Technologies10.1145/3322431.3326447(219-221)Online publication date: 28-May-2019
https://dl.acm.org/doi/10.1145/3322431.3326447
Kiperberg MLeon RResh AAlgawi AZaidenberg N(2019)Hypervisor-Based Protection of CodeIEEE Transactions on Information Forensics and Security10.1109/TIFS.2019.289457714:8(2203-2216)Online publication date: 1-Aug-2019
https://dl.acm.org/doi/10.1109/TIFS.2019.2894577
Mesbah ALanet JMezghiche M(2019)Reverse engineering Java Card and vulnerability exploitationInternational Journal of Information Security10.1007/s10207-018-0401-918:1(85-100)Online publication date: 1-Feb-2019
https://dl.acm.org/doi/10.1007/s10207-018-0401-9
Show More Cited By

View Options

View options

Media

Figures

Other

Tables

View Table of Contents