A Study on API Wrapping in Themida and Unpacking Technique

Lee, Jae-hwi; Han, Jaehyeok; Lee, Min Wook; Choi, Jae-mun; Baek, Hyunwoo; Lee, Sang-Jin

doi:10.13089/jkiisc.2017.27.1.67

Cited by 4 publications

(3 citation statements)

References 0 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“… Themida VerifierIt determines whether an input program is obfuscated by Themida or not. If the input program is not obfuscated by Themida, abort the analyzing process. Anti‐Analysis DetectorIt determines whether an input program is obfuscated with anti‐analysis options provided by Themida. API‐Wrapping DetectorIt determines whether an input program is obfuscated with the API‐Wrapping option by monitoring the NtAllocateVirtualMemory API with RWE (Read/Write/Execute) permission ( Rule 3‐2 ). API‐Wrapping UnWrapperIf an input program is obfuscated with API‐Wrapping , it unwraps the original API address by monitoring the source/destination address of the API code copy instruction. The unwrapped address (original API address) is recorded to the unwrap‐log to complement the IAT‐log ( Rule 3‐2 ). IAT DetectorIt determines where the IAT existed by using memory write monitoring at the top section ( Rule 1‐1 ) and records the IAT‐log. Direct Call & Jump DetectorIt records locations of direct call/jump statements and its indirect addresses for converting a direct call/jump into an indirect call/jump ( Rule 2‐3 ). Original EntryPoint CheckerIt determines whether an input program is executed at the unpacked code section to record the OEP ( Rule 4‐3 ). Original Code & Data ExtractorIt extracts code and data immediately after jumping to the unpacked code section ( Rule 2‐4 ). …”

Section: Methodsmentioning

confidence: 99%

See 1 more Smart Citation

UnThemida: Commercial obfuscation technique analysis with a fully obfuscated program

et al. 2018

View full text Add to dashboard Cite

The main goal of code obfuscation is to make software more difficult to reverse engineer. These techniques modify data structures and control flow while retaining the functionality of the original program. Although obfuscation is a useful method for protecting programs, it can also be used to protect malware. This raises concerns that malware could use code obfuscation to avoid detection by antivirus software. It is very difficult to analyze the functionality of obfuscated malware before it has been deobfuscated. Furthermore, commercial obfuscation tools allow malware authors to apply multiple obfuscation options simultaneously, and current deobfuscation techniques cannot handle this situation. In this study, we analyzed a well-known commercial obfuscation tool called Themida. We applied its many obfuscation options to a program and implemented a tool to recover the original code and data. We extracted features from obfuscated programs and analyzed their control flow. Our tool is based on these features and the control flow patterns and can identify whether Themida has been applied to the program and which obfuscation options have been used. Finally, we suggested a method for recovering the import address table of programs by using dynamic binary instrumentation. The proposed rules and algorithms can almost completely recover the APIs of programs even though they are hidden by obfuscation options provided by Themida.

show abstract

Section: Methodsmentioning

confidence: 99%

“…It determines whether an input program is obfuscated with the API‐Wrapping option by monitoring the NtAllocateVirtualMemory API with RWE (Read/Write/Execute) permission ( Rule 3‐2 ).…”

Section: Methodsmentioning

confidence: 99%

UnThemida: Commercial obfuscation technique analysis with a fully obfuscated program

et al. 2018

View full text Add to dashboard Cite

show abstract

“…Since commercial obfuscation tools such as Dexguard [19], VMprotect [20], Themida [21], and Dexprotector [22] are available in the market, attackers can easily obfuscate malware by using them. However, there has not been a complete study on the automated deobfuscation against such commercial obfuscation tools [23].…”

Section: Overviewmentioning

confidence: 99%

Deobfuscating Mobile Malware for Identifying Concealed Behaviors

Lee¹,

Jeon²,

Lee³

et al. 2022

Computers, Materials &Amp; Continua

View full text Add to dashboard Cite

The smart phone market is continuously increasing and there are more than 6 billion of smart phone users worldwide with the aid of the 5G technology. Among them Android occupies 87% of the market share. Naturally, the widespread Android smartphones has drawn the attention of the attackers who implement and spread malware. Consequently, currently the number of malware targeting Android mobile phones is ever increasing. Therefore, it is a critical task to find and detect malicious behaviors of malware in a timely manner. However, unfortunately, attackers use a variety of obfuscation techniques for malware to evade or delay detection. When an obfuscation technique such as the class encryption is applied to a malicious application, we cannot obtain any information through a static analysis regarding its malicious behaviors. Hence, we need to rely on the manual, dynamic analysis to find concealed malicious behaviors from obfuscated malware. To avoid malware spreading out in larger scale, we need an automated deobfuscation approach that accurately deobfuscates obfuscated malware so that we can reveal hidden malicious behaviors. In this study, we introduce widely-used obfuscation techniques and propose an effective deobfuscation method, named ARBDroid, for automatically deobfuscating the string encryption, class encryption, and API hiding techniques. Our evaluation results clearly demonstrate that our approach can deobfuscate obfuscated applications based on dynamic analysis results.

show abstract

A Modified Smart Contract Execution Enviroment for Safe Function Calls

Lee

Cho

2019

2019 IEEE 43rd Annual Computer Software and Applications Conference (COMPSAC)

View full text Add to dashboard Cite

A Study on API Wrapping in Themida and Unpacking Technique

Cited by 4 publications

References 0 publications

UnThemida: Commercial obfuscation technique analysis with a fully obfuscated program

UnThemida: Commercial obfuscation technique analysis with a fully obfuscated program

Deobfuscating Mobile Malware for Identifying Concealed Behaviors

A Modified Smart Contract Execution Enviroment for Safe Function Calls

Contact Info

Product

Resources

About