CoDisasm

Bonfante, Guillaume; Fernandez, José M.; Marion, Jean-Yves; Rouxel, Benjamin; Sabatier, Fabrice; Thierry, Aurélien

doi:10.1145/2810103.2813627

Cited by 41 publications

(3 citation statements)

References 27 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We also compare BareUnpack's result with other representative generic unpacking tools: PolyUnpack [3], Renovo [4], OmniUnpack [5], CoDisasm [17] and PINdemonium [18]. All of them are relying on some simulated environments.…”

Section: Datasetmentioning

confidence: 99%

“…PolyUnpack [3], Renovo [4], OmniUnpack [5] CoDisasm [17] and PINdemonium [18] are the most notably generic unpacking approaches. Table 6 illustrates the various simulated environments applied by these approaches.…”

Section: Related Workmentioning

confidence: 99%

“…CoDisasm [17] developed Pin tracer to collects an execution trace of a stripped binary, which is based on Pin tool [19] and recovers each unpacking layer by taking a memory snapshot at the beginning of the layer. Similarly, PinDemonium [18] also relies on the Pin tool to "identify written and then executed memory regions".…”

Section: Approach Simulated Environment Monitoring Granularity Evade mentioning

confidence: 99%

See 2 more Smart Citations

BareUnpack: Generic Unpacking on the Bare-Metal Operating System

Cheng

2018

IEICE Trans. Inf. & Syst.

View full text Add to dashboard Cite

Malware has become a growing threat as malware writers have learned that signature-based detectors can be easily evaded by packing the malware. Packing is a major challenge to malware analysis. The generic unpacking approach is the major solution to the threat of packed malware, and it is based on the intrinsic nature of the execution of packed executables. That is, the original code should be extracted in memory and get executed at run-time. The existing generic unpacking approaches need a simulated environment to monitor the executing of the packed executables. Unfortunately, the simulated environment is easily detected by the environment-sensitive packers. It makes the existing generic unpacking approaches easily evaded by the packer. In this paper, we propose a novel unpacking approach, BareUnpack, to monitor the execution of the packed executables on the bare-metal operating system, and then extracts the hidden code of the executable. BareUnpack does not need any simulated environment (debugger, emulator or VM), and it works on the bare-metal operating system directly. Our experimental results show that BareUnpack can resist the environment-sensitive packers, and improve the unpacking effectiveness, which outperforms other existing unpacking approaches. key words: malware analysis, environment-sensitive techniques, simulated environment, generic unpacker †

show abstract

Section: Datasetmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Approach Simulated Environment Monitoring Granularity Evade mentioning

confidence: 99%

See 1 more Smart Citation

BareUnpack: Generic Unpacking on the Bare-Metal Operating System

Cheng

2018

IEICE Trans. Inf. & Syst.

View full text Add to dashboard Cite

show abstract

UnThemida: Commercial obfuscation technique analysis with a fully obfuscated program

et al. 2018

View full text Add to dashboard Cite

The main goal of code obfuscation is to make software more difficult to reverse engineer. These techniques modify data structures and control flow while retaining the functionality of the original program. Although obfuscation is a useful method for protecting programs, it can also be used to protect malware. This raises concerns that malware could use code obfuscation to avoid detection by antivirus software. It is very difficult to analyze the functionality of obfuscated malware before it has been deobfuscated. Furthermore, commercial obfuscation tools allow malware authors to apply multiple obfuscation options simultaneously, and current deobfuscation techniques cannot handle this situation. In this study, we analyzed a well-known commercial obfuscation tool called Themida. We applied its many obfuscation options to a program and implemented a tool to recover the original code and data. We extracted features from obfuscated programs and analyzed their control flow. Our tool is based on these features and the control flow patterns and can identify whether Themida has been applied to the program and which obfuscation options have been used. Finally, we suggested a method for recovering the import address table of programs by using dynamic binary instrumentation. The proposed rules and algorithms can almost completely recover the APIs of programs even though they are hidden by obfuscation options provided by Themida.

show abstract

Field experience with obfuscating million‐user iOS apps in large enterprise mobile development

Wang

Chen³

et al. 2018

Softw Pract Exp

View full text Add to dashboard Cite

Summary In recent years, mobile apps have become the infrastructure of many popular Internet services. It is now common that a mobile app serves millions of users across the globe. By examining the code of these apps, reverse engineers can learn various knowledge about the design and implementation of the apps. Real‐world cases have shown that the disclosed critical information allows malicious parties to abuse or exploit the app‐provided services for unrightful profits, leading to significant financial losses. One of the most viable mitigations against malicious reverse engineering is to obfuscate the apps. Despite that security by obscurity is typically considered to be an unsound protection methodology, software obfuscation can indeed increase the cost of reverse engineering, thus delivering practical merits for protecting mobile apps. In this paper, we share our experience of applying obfuscation to multiple commercial iOS apps, each of which has millions of users. We discuss the necessity of adopting obfuscation for protecting modern mobile business, the challenges of software obfuscation on the iOS platform, and our efforts in overcoming these obstacles. We especially focus on factors that are unique to mobile software development that may affect the design and deployment of obfuscation techniques. We report the outcome of our obfuscation with empirical experiments. We additionally elaborate on the follow‐up case studies about how our obfuscation affected the app publication process and how we responded to the negative impacts. This experience report can benefit mobile developers, security service providers, and Apple as the administrator of the iOS ecosystem.

show abstract

CoDisasm

Cited by 41 publications

References 27 publications

BareUnpack: Generic Unpacking on the Bare-Metal Operating System

BareUnpack: Generic Unpacking on the Bare-Metal Operating System

UnThemida: Commercial obfuscation technique analysis with a fully obfuscated program

Field experience with obfuscating million‐user iOS apps in large enterprise mobile development

Contact Info

Product

Resources

About