Hybrid emulation for bypassing anti-reversing techniques and analyzing malware

Choi, Seokwoo; Chang, Taejoo; Yoon, Sung woo; Park, Yong-Su

doi:10.1007/s11227-020-03270-6

Cited by 8 publications

(7 citation statements)

References 13 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Choi et al [16] proposed HybridEmu, a DBI framework for dynamically analyzing malware. They compared various DBI frameworks to prove resistance to 29 common antidebug techniques and anti-debug techniques provided by 17 commercial protectors.…”

Section: Introductionmentioning

confidence: 99%

Large-Scale Analysis on Anti-Analysis Techniques in Real-World Malware

Kim

Cho

2022

IEEE Access

View full text Add to dashboard Cite

To dynamically identify malicious behaviors of millions of Windows malware, anti-virus vendors have widely been using sandbox-based analyzers. However, the sandbox-based analysis has a critical limitation that anti-analysis techniques (i.e., Anti-sandbox and Anti-VM techniques) can easily detect analyzers and evade from being analyzed. In this work, we study on anti-analysis techniques used in real-world malware. First off, to measure how many Windows malware exhibits anti-analysis techniques, we collect anti-analysis techniques used in malware. We, then, design and implement an automated system, named EvDetector, that detects malware which employ anti-analysis techniques. EvDetector finds if malware uses an anti-analysis technique and monitors whether the malware changes its execution paths based on the result of the anti-analysis technique. By using EvDetector, we analyzed 763,985 real-world malware that emerged from 2017 to 2020. Our evaluation results show that 16.21% of malware use antianalysis techniques on average. Also, we check the effectiveness of the analysis result by comparing EvDetector and static analysis. EvDetector analyzes up to 49.88% of malware detected by static analysis did not use anti-analysis techniques. In addition, we analyze that only up to 3.75% of the packed malware used anti-analysis techniques. Finally, we analyze the evasive malware trend through familial analysis and behavioral analysis. Our work implies that the research community needs to put more effort on defeating such anti-analysis techniques to automatically analyze emerging malware and respond with them.

show abstract

Section: Introductionmentioning

confidence: 99%

Large-Scale Analysis on Anti-Analysis Techniques in Real-World Malware

Kim

Cho

2022

IEEE Access

View full text Add to dashboard Cite

show abstract

“…Among the many samples, there were some that this paper failed to analyze. Because this work can defeat some APIs and PEB structure-based anti-debugging techniques, the antidebugging using different artifacts could not be defeated, such as RDTSC instruction, Memory Breakpoint, Self-Modifying, and Single-Step Detection [22].…”

Section: Resultsmentioning

confidence: 99%

“…Therefore, the DBI can bypass the anti-debugging techniques by code insertion. However, analysis is inconvenient, and some DBIs cannot execute complex programs correctly [22]. Recently Hao Shi and Jelena Mirkovic proposed the Apate framework to analyze malware [23].…”

Section: Related Workmentioning

confidence: 99%

Defeating Anti-Debugging Techniques for Malware Analysis Using a Debugger

Kim¹,

Bang²,

Choi³

2020

Adv. sci. technol. eng. syst. j.

View full text Add to dashboard Cite

“…Choi et al proposed HybridEmu [35], which is a dynamic analysis scheme for investigating the internal structure of malicious code in Microsoft Windows 32-bit environments. Similar to xUnpack64 [12], HybridEmu can directly call or emulate various API functions in malware while emulating instructions using a 32-bit CPU simulator.…”

Section: Related Workmentioning

confidence: 99%

UnSafengine64: A Safengine Unpacker for 64-Bit Windows Environments and Detailed Analysis Results on Safengine 2.4.0

Choi,

Chang,

Park

2024

Sensors

Self Cite

View full text Add to dashboard Cite

Despite recent remarkable advances in binary code analysis, malware developers still use complex anti-reversing techniques that make analysis difficult. Packers are used to protect malware, which are (commercial) tools that contain diverse anti-reversing techniques, including code encryption, anti-debugging, and code virtualization. In this study, we present UnSafengine64: a Safengine unpacker for 64-bit Windows. UnSafengine64 can correctly unpack packed executables using Safengine, which is considered one of the most complex commercial packers in Windows environments; to the best of our knowledge, there have been no published analysis results. UnSafengine64 was developed as a plug-in for Pin, which is one of the most widely used dynamic analysis tools for Microsoft Windows. In addition, we utilized Detect It Easy (DIE), IDA Pro, x64Dbg, and x64Unpack as auxiliary tools for deep analysis. Using UnSafengine64, we can analyze obfuscated calls for major application programming interface (API) functions or conduct fine-grained analyses at the instruction level. Furthermore, UnSafengine64 detects anti-debugging code chunks, captures a memory dump of the target process, and unpacks packed files. To verify the effectiveness of our scheme, experiments were conducted using Safengine 2.4.0. The experimental results show that UnSafengine64 correctly executes packed executable files and successfully produces an unpacked version. Based on this, we provided detailed analysis results for the obfuscated executable file generated using Safengine 2.4.0.

show abstract

Hybrid emulation for bypassing anti-reversing techniques and analyzing malware

Cited by 8 publications

References 13 publications

Large-Scale Analysis on Anti-Analysis Techniques in Real-World Malware

Large-Scale Analysis on Anti-Analysis Techniques in Real-World Malware

Defeating Anti-Debugging Techniques for Malware Analysis Using a Debugger

UnSafengine64: A Safengine Unpacker for 64-Bit Windows Environments and Detailed Analysis Results on Safengine 2.4.0

Contact Info

Product

Resources

About