2021
DOI: 10.1109/access.2020.3048848
|View full text |Cite
|
Sign up to set email alerts
|

Bypassing Anti-Analysis of Commercial Protector Methods Using DBI Tools

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
2
2
1

Citation Types

0
15
0

Year Published

2022
2022
2023
2023

Publication Types

Select...
3
2
1

Relationship

0
6

Authors

Journals

citations
Cited by 11 publications
(15 citation statements)
references
References 11 publications
0
15
0
Order By: Relevance
“…Because the DBI framework is also widelyused to analyze malware, there are several techniques used in malicious applications to avoid being analyzed from the DBI framework and debuggers [40]. However, the analysis tools based on the DBI framework can have implement an automated bypassing module that recognizes and instrument such anti-DBI techniques to bypass them [28].…”
Section: Anti-dbi Techniquesmentioning
confidence: 99%
See 3 more Smart Citations
“…Because the DBI framework is also widelyused to analyze malware, there are several techniques used in malicious applications to avoid being analyzed from the DBI framework and debuggers [40]. However, the analysis tools based on the DBI framework can have implement an automated bypassing module that recognizes and instrument such anti-DBI techniques to bypass them [28].…”
Section: Anti-dbi Techniquesmentioning
confidence: 99%
“…In this work, we focus on anti-DBI techniques, especially for detecting Intel Pin [40] because our approach is based on a dynamic analysis by using Intel Pin. In general, anti-DBI techniques (for detecting Intel Pin) work based on the Nt-QueryInformationProcess (ProcessDebugFlags), Single-Step exception, and PAGEGUARD exception [28], [40]. Among them, the traditional NtGlobalFlag detection technique uses a feature that the value of NtGlobalFlag, one of the variables in the PEB (Process Environment Block) structure, is always set to 0x70 when a debugger is attached to the process.…”
Section: Anti-dbi Techniquesmentioning
confidence: 99%
See 2 more Smart Citations
“…In a typical CPU scenario, we can attain the state of the race condition by executing this code, but in a QEMU emulator environment, the race condition seldom occurs. (d) Detection based on the TB-cache: DBI (DBI is short for dynamic binary instrumentation)based emulators improve efficiency via translation-caching method [129][130][131][132][133][134]. Although this caching mechanism improves emulation efficiency, it also introduces a substantial time disparity when executed on a real CPU.…”
Section: Anti-emulation Transformationmentioning
confidence: 99%