Bypassing Anti-Analysis of Commercial Protector Methods Using DBI Tools

Lee, Young Bi; Suk, Jae Hyuk; Lee, Dong Hoon

doi:10.1109/access.2020.3048848

Cited by 11 publications

(15 citation statements)

References 11 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Because the DBI framework is also widelyused to analyze malware, there are several techniques used in malicious applications to avoid being analyzed from the DBI framework and debuggers [40]. However, the analysis tools based on the DBI framework can have implement an automated bypassing module that recognizes and instrument such anti-DBI techniques to bypass them [28].…”

Section: Anti-dbi Techniquesmentioning

confidence: 99%

“…In this work, we focus on anti-DBI techniques, especially for detecting Intel Pin [40] because our approach is based on a dynamic analysis by using Intel Pin. In general, anti-DBI techniques (for detecting Intel Pin) work based on the Nt-QueryInformationProcess (ProcessDebugFlags), Single-Step exception, and PAGEGUARD exception [28], [40]. Among them, the traditional NtGlobalFlag detection technique uses a feature that the value of NtGlobalFlag, one of the variables in the PEB (Process Environment Block) structure, is always set to 0x70 when a debugger is attached to the process.…”

Section: Anti-dbi Techniquesmentioning

confidence: 99%

“…This line of work compares the behavior similarity of malware, but using those approaches in a small number of sandboxes can yield low accuracy. As an another line of work, recently, Lee et al [28] proposed an approach using a bypassing module to analyze malware that use anti-analysis techniques such as anti-VM.…”

Section: Introductionmentioning

confidence: 99%

“…From this result, we implement our approach based on Intel Pin. Lee et al [28] analyzed the anti-DBI and anti-VM techniques provided by commercial protectors and showed bypassing algorithms using Intel Pin. The commercial protectors are Themida [44], Enigma [45], VMProtect [2], Obsidium [35], and ACProtect [49].…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Large-Scale Analysis on Anti-Analysis Techniques in Real-World Malware

Kim

Cho

2022

IEEE Access

View full text Add to dashboard Cite

To dynamically identify malicious behaviors of millions of Windows malware, anti-virus vendors have widely been using sandbox-based analyzers. However, the sandbox-based analysis has a critical limitation that anti-analysis techniques (i.e., Anti-sandbox and Anti-VM techniques) can easily detect analyzers and evade from being analyzed. In this work, we study on anti-analysis techniques used in real-world malware. First off, to measure how many Windows malware exhibits anti-analysis techniques, we collect anti-analysis techniques used in malware. We, then, design and implement an automated system, named EvDetector, that detects malware which employ anti-analysis techniques. EvDetector finds if malware uses an anti-analysis technique and monitors whether the malware changes its execution paths based on the result of the anti-analysis technique. By using EvDetector, we analyzed 763,985 real-world malware that emerged from 2017 to 2020. Our evaluation results show that 16.21% of malware use antianalysis techniques on average. Also, we check the effectiveness of the analysis result by comparing EvDetector and static analysis. EvDetector analyzes up to 49.88% of malware detected by static analysis did not use anti-analysis techniques. In addition, we analyze that only up to 3.75% of the packed malware used anti-analysis techniques. Finally, we analyze the evasive malware trend through familial analysis and behavioral analysis. Our work implies that the research community needs to put more effort on defeating such anti-analysis techniques to automatically analyze emerging malware and respond with them.

show abstract

Section: Anti-dbi Techniquesmentioning

confidence: 99%

Section: Anti-dbi Techniquesmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Large-Scale Analysis on Anti-Analysis Techniques in Real-World Malware

Kim

Cho

2022

IEEE Access

View full text Add to dashboard Cite

show abstract

“…In a typical CPU scenario, we can attain the state of the race condition by executing this code, but in a QEMU emulator environment, the race condition seldom occurs. (d) Detection based on the TB-cache: DBI (DBI is short for dynamic binary instrumentation)based emulators improve efficiency via translation-caching method [129][130][131][132][133][134]. Although this caching mechanism improves emulation efficiency, it also introduces a substantial time disparity when executed on a real CPU.…”

Section: Anti-emulation Transformationmentioning

confidence: 99%

A Survey and Evaluation of Android-Based Malware Evasion Techniques and Detection Frameworks

Faruki

Bhan

Jain³

et al. 2023

Information

View full text Add to dashboard Cite

Android platform security is an active area of research where malware detection techniques continuously evolve to identify novel malware and improve the timely and accurate detection of existing malware. Adversaries are constantly in charge of employing innovative techniques to avoid or prolong malware detection effectively. Past studies have shown that malware detection systems are susceptible to evasion attacks where adversaries can successfully bypass the existing security defenses and deliver the malware to the target system without being detected. The evolution of escape-resistant systems is an open research problem. This paper presents a detailed taxonomy and evaluation of Android-based malware evasion techniques deployed to circumvent malware detection. The study characterizes such evasion techniques into two broad categories, polymorphism and metamorphism, and analyses techniques used for stealth malware detection based on the malware’s unique characteristics. Furthermore, the article also presents a qualitative and systematic comparison of evasion detection frameworks and their detection methodologies for Android-based malware. Finally, the survey discusses open-ended questions and potential future directions for continued research in mobile malware detection.

show abstract

Building Deobfuscated Applications from Polymorphic Binaries

Crăciun

Mogage

2022

Innovative Security Solutions for Information Technology and Communications

View full text Add to dashboard Cite

Bypassing Anti-Analysis of Commercial Protector Methods Using DBI Tools

Cited by 11 publications

References 11 publications

Large-Scale Analysis on Anti-Analysis Techniques in Real-World Malware

Large-Scale Analysis on Anti-Analysis Techniques in Real-World Malware

A Survey and Evaluation of Android-Based Malware Evasion Techniques and Detection Frameworks

Building Deobfuscated Applications from Polymorphic Binaries

Contact Info

Product

Resources

About