2/2019 - 3 |
Automatic Detection and Bypassing of Anti-Debugging Techniques for Microsoft Windows EnvironmentsPARK, J. , JANG, Y.-H. , HONG, S. , PARK, Y. |
Extra paper information in |
Click to see author's profile in SCOPUS, IEEE Xplore, Web of Science |
Download PDF (1,313 KB) | Citation | Downloads: 2,965 | Views: 3,421 |
Author keywords
computer hacking, computer security, debugging, reverse engineering, software protection
References keywords
anti(10), link(9), software(7), malware(7), debugging(7), security(6), binary(5), analysis(5), ollydbg(4), code(4)
Blue keywords are present in both the references section and the paper title.
About this article
Date of Publication: 2019-05-31
Volume 19, Issue 2, Year 2019, On page(s): 23 - 28
ISSN: 1582-7445, e-ISSN: 1844-7600
Digital Object Identifier: 10.4316/AECE.2019.02003
Web of Science Accession Number: 000475806300003
SCOPUS ID: 85066320679
Abstract
In spite of recent remarkable advances in binary code analysis, adversaries are still using diverse anti-reversing techniques for obfuscating code and making analysis difficult. Unlike most of the previous work that relies on debugger-plugins for neutralizing anti-debugging techniques, we focus on the Pin, which is one of the most widely used DBI (Dynamic Binary Instrumentation) tools in 80x86 environments. In this paper, we present an automatic anti-debugging detection/bypassing scheme using the Pin. In order to evaluate the effectiveness of our algorithm, we conducted experiments on 17 most widely used (commercial) protectors, which results in bypassing all anti-debugging techniques automatically. Particularly, our experiment includes Safengine, which is one of the most complex commercial protectors and, to the best of our knowledge, it has not been successfully analyzed by academic researchers up to now. Also, experimental results show that the proposed scheme performs better than the most recent work, Apate. |
References | | | Cited By «-- Click to see who has cited this paper |
[1] W. Yan, Z. Zhang, N. Ansari, "Revealing packed malware," IEEE Security and Privacy, Vol. 6, No. 5, pp. 65-69, 2008. [CrossRef] [Web of Science Times Cited 56] [SCOPUS Times Cited 90] [2] D. Devi, S. Nandi, "Detection of packed malware," in Proc. of the First International Conference on Security of Internet of Things, pp. 22-26, 2012. [CrossRef] [SCOPUS Times Cited 8] [3] G. N. Barbosa, R. R. Branco, "Prevalent characteristics in modern malware," in Proc. of Black Hat'2014, USA, 2014. [4] Orleans Technology, "Themida: advanced windows software protection system," [Online] Available: Temporary on-line reference link removed - see the PDF document [5] VMSoft. "VMProtect software: VMProtect virtualizes code," [Online] Available: Temporary on-line reference link removed - see the PDF document [6] Safengine, "Safengine protector," [Online] Available: Temporary on-line reference link removed - see the PDF document [7] StrongOd, StrongOD 0.4.8.892 - Make your OllyDbg Strong, [Online] Available: Temporary on-line reference link removed - see the PDF document [8] OllyAdvanced, OllyAdvanced - OllyDbg plugin for a number of advancements and anti-debug features, [Online] Available: Temporary on-line reference link removed - see the PDF document [9] H. Shi, J. Mirkovic, "Hiding debuggers from malware with Apate," in Proc. of ACM SAC'2017, pp. 495-508, 2017. [CrossRef] [SCOPUS Times Cited 24] [10] C. Luk, R. Cohn, R. Muth, H. Patil, A. Klauser, G. Lowney, S. Wallace, V. J. Raddi, K. Hazelwood, "Pin: building customized program analysis tools with dynamic instrumentation," in Proc. of the 2005 ACM SIGPLAN Conference on PLDI, pp. 190-200, 2005. [CrossRef] [Web of Science Times Cited 1604] [SCOPUS Times Cited 1359] [11] S. Bardin, R. David, J. Marion, "Backward-Bounded DSE: Targeting Infeasibility Questions on Obfuscated Codes," in Proc. of 2017 IEEE Symposium on Security and Privacy, pp 633-651, 2017. [CrossRef] [Web of Science Times Cited 27] [SCOPUS Times Cited 40] [12] T. Blazytko, M. Contag, C. Aschermann, T. Holz, "Syntia: Synthesizing the Semantics of Obfuscated Code," in Proc. of USENIX Security Symposium 2017, pp. 643-659, 2017. [13] R. David, S. Bardin, T. D. Ta, J. Feist, L. Mounier, M. L. Potet, J. Y. Marion. "BINSEC/SE: A Dynamic Symbolic Execution Toolkit for Binary-level Analysis," In Proc. of 2016 IEEE 23rd International Conference on Software Analysis, Evolution, and Reengineering (SANER) 2016, pp. 653-656, 2016. [CrossRef] [Web of Science Times Cited 26] [SCOPUS Times Cited 48] [14] X. Meng, B. P. Miller. "Binary code is not easy," in Proc. of the 25th International Symposium on Software Testing and Analysis, pp. 24-35, 2016. [CrossRef] [SCOPUS Times Cited 96] [15] S. Eschweiler, K. Yakdan, E. Gerhards-Padilla, "discovRE: Efficient Cross-Architecture Identification of Bugs in Binary Code," in Proc. of The Network and Distributed System Security Symposium (NDSS 2016), 2016. [CrossRef] [Web of Science Times Cited 141] [SCOPUS Times Cited 251] [16] J. Pewny, B. Garmany, R. Gawlik, C. Rossow, T. Holz. "Cross-Architecture Bug Search in Binary Executables," in Proc. of the 2015 IEEE Symposium on Security and Privacy 2015, pp. 709-724, 2015. [CrossRef] [Web of Science Times Cited 196] [SCOPUS Times Cited 261] [17] J. Lee, H. Chang, S. Cho, S. Kim, Y. Park, W. Choi, "Integration of Software Protection Mechanisms against Reverse Engineering Attacks," Journal of Information, Vol. 15. No. 4, pp. 1569-1578, 2012. [18] X. Chen, J. Andersen, Z. M. Mao, M. Bailey, J. Nazario, "Towards an Understanding of Anti-virtualization and Anti-debugging Behavior in Modern Malware," in Proc. of IEEE Conference on Dependable Systems and Networks (DSN 2008), pp. 177-186, 2008. [CrossRef] [SCOPUS Times Cited 236] [19] J. Tully, "Introduction into Windows anti-debugging," [Online] Available: Temporary on-line reference link removed - see the PDF document [20] P. Ferrie, "The ultimate anti-debugging reference," [Online] Available: Temporary on-line reference link removed - see the PDF document [21] T. Shields, "Anti-debugging - a developers view," 2011. [22] A. J. Smith, R. F. Mills, A. R. Bryant, G. L. Peterson, M. R. Grimaila, "REDIR: Automated static detection of obfuscated anti-debugging techniques," in Proc. of 2014 International Conference on Collaboration Technologies and Systems 2014, pp. 173-180, 2014. [CrossRef] [SCOPUS Times Cited 9] [23] D. Brumley, I. Jager, T. Avgerinos, E. J. Schwartz, "BAP: A Binary Analysis Platform," in Proc. of International Conference on Computer Aided Verification 2011, pp. 463-469, 2011. [CrossRef] [SCOPUS Times Cited 295] [24] P. Chen, C. Huygens, L. Desmet, W. Joosen, "Advanced or not? A comparative study of the use of anti-debugging and anti-VM techniques in generic and targeted malware," in Proc. of IFIPSEC'2016 Conference, pp. 323-336, 2016. [CrossRef] [Web of Science Times Cited 35] [SCOPUS Times Cited 47] [25] K. Yoshizaki, T. Yamauchi, "Malware Detection Method Focusing on Anti-debugging Functions," in Proc. of Computing and Networking (CANDAR) 2014, pp. 563-566, 2014. [CrossRef] [Web of Science Times Cited 2] [SCOPUS Times Cited 5] [26] V. Oduguwa, A. Tiwari, R. Roy, "Evolutionary computing in manufacturing industry: an overview of recent applications," Applied Soft Computing, vol. 5, no. 3, pp. 281-299, 2005. [CrossRef] [Web of Science Times Cited 101] [SCOPUS Times Cited 130] [27] C. Pozna, F. Troester, R. E. Precup, J. Tar, S. Preitl, "On the design of an obstacle avoiding trajectory: method and simulation," Mathematics and Computers in Simulation, vol. 79, no. 7, pp. 2211-2226, 2009. [CrossRef] [Web of Science Times Cited 62] [SCOPUS Times Cited 84] [28] J. Saadat, P. Moallem, H. Koofigar, "Training echo state neural network using harmony search algorithm," International Journal of Artificial Intelligence, vol. 15, no. 1, pp. 163-179, 2017. [29] S. Vrkalovic, E. Lunca, I. Borlea, "Model-free sliding mode and fuzzy controllers for reverse osmosis desalination plants, International Journal of Artificial Intelligence," vol. 16, no. 2, pp. 208-222, 2018. [30] Obsidium Software. "Obsidium Software Protection System," [Online] Available: Temporary on-line reference link removed - see the PDF document [31] OllyDbg. "OllyDbg v1.10: 32-bit assembler level analyzing debugger for Microsoft Windows," [Online] Available: Temporary on-line reference link removed - see the PDF document Web of Science® Citations for all references: 2,250 TCR SCOPUS® Citations for all references: 2,983 TCR Web of Science® Average Citations per reference: 70 ACR SCOPUS® Average Citations per reference: 93 ACR TCR = Total Citations for References / ACR = Average Citations per Reference We introduced in 2010 - for the first time in scientific publishing, the term "References Weight", as a quantitative indication of the quality ... Read more Citations for references updated on 2024-11-16 04:26 in 111 seconds. Note1: Web of Science® is a registered trademark of Clarivate Analytics. Note2: SCOPUS® is a registered trademark of Elsevier B.V. Disclaimer: All queries to the respective databases were made by using the DOI record of every reference (where available). Due to technical problems beyond our control, the information is not always accurate. Please use the CrossRef link to visit the respective publisher site. |
Faculty of Electrical Engineering and Computer Science
Stefan cel Mare University of Suceava, Romania
All rights reserved: Advances in Electrical and Computer Engineering is a registered trademark of the Stefan cel Mare University of Suceava. No part of this publication may be reproduced, stored in a retrieval system, photocopied, recorded or archived, without the written permission from the Editor. When authors submit their papers for publication, they agree that the copyright for their article be transferred to the Faculty of Electrical Engineering and Computer Science, Stefan cel Mare University of Suceava, Romania, if and only if the articles are accepted for publication. The copyright covers the exclusive rights to reproduce and distribute the article, including reprints and translations.
Permission for other use: The copyright owner's consent does not extend to copying for general distribution, for promotion, for creating new works, or for resale. Specific written permission must be obtained from the Editor for such copying. Direct linking to files hosted on this website is strictly prohibited.
Disclaimer: Whilst every effort is made by the publishers and editorial board to see that no inaccurate or misleading data, opinions or statements appear in this journal, they wish to make it clear that all information and opinions formulated in the articles, as well as linguistic accuracy, are the sole responsibility of the author.