Obfuscating Windows DLLs

Abrath, Bert; Coppens, Bart; Volckaert, Stijn; Sutter, Bjorn De

doi:10.1109/spro.2015.13

Cited by 6 publications

(6 citation statements)

References 8 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The feature is available in some commercial obfuscation tools, such as DexProtector (2018). Abrath et al (2015) investigate the problem for Windows software, and they also propose to replace the original function calls via a binder. Bohannon and Holmes (2017) investigated a similar problem for Windows powershell scripts.…”

Section: Code Diversificationmentioning

confidence: 99%

Layered obfuscation: a taxonomy of software obfuscation techniques for layered security

Zhou

Jiang

et al. 2020

Cybersecur

View full text Add to dashboard Cite

Software obfuscation has been developed for over 30 years. A problem always confusing the communities is what security strength the technique can achieve. Nowadays, this problem becomes even harder as the software economy becomes more diversified. Inspired by the classic idea of layered security for risk management, we propose layered obfuscation as a promising way to realize reliable software obfuscation. Our concept is based on the fact that real-world software is usually complicated. Merely applying one or several obfuscation approaches in an ad-hoc way cannot achieve good obscurity. Layered obfuscation, on the other hand, aims to mitigate the risks of reverse software engineering by integrating different obfuscation techniques as a whole solution. In the paper, we conduct a systematic review of existing obfuscation techniques based on the idea of layered obfuscation and develop a novel taxonomy of obfuscation techniques. Following our taxonomy hierarchy, the obfuscation strategies under different branches are orthogonal to each other. In this way, it can assist developers in choosing obfuscation techniques and designing layered obfuscation solutions based on their specific requirements.

show abstract

Section: Code Diversificationmentioning

confidence: 99%

Layered obfuscation: a taxonomy of software obfuscation techniques for layered security

Zhou

Jiang

et al. 2020

Cybersecur

View full text Add to dashboard Cite

show abstract

“…DLL Static Linking When a system DLL is statically linked to a malware executable, we cannot identify the APIs exported from the DLL [1]. This is because the codes of the APIs exported from the DLL do not have any taint tags, even though we need taint tags to resolve the API names.…”

Section: Limitationmentioning

confidence: 99%

Taint-assisted IAT Reconstruction against Position Obfuscation

Kawakoya¹,

Miyoshi²

2018

Journal of Information Processing

View full text Add to dashboard Cite

Windows Application Programming Interface (API) is an important data source for analysts to effectively understand the functions of malware. Due to this, malware authors are likely to hide the imported APIs in their malware by taking advantage of various obfuscation techniques. In this paper, we first build a formal model of the Import Address Table (IAT) reconstruction procedure to keep our description independent of specific implementations and then formally point out that the current IAT reconstruction is vulnerable to position obfuscation techniques, which are anti-analysis techniques obfuscating the positions of loaded APIs or Dynamic Link Libraries (DLLs). Next, we introduce an approach for API name resolution, which is an essential step in IAT reconstruction, on the basis of taint analysis to defeat position obfuscation techniques. The key idea of our approach is that we first define taint tags, each of which has a unique value for each API, apply the taint of the API to each of its instructions, track the movement of the API instructions by propagating the tags, and then resolve API names from the propagated tags for IAT reconstruction after acquiring a memory dump of the process under analysis. Finally, we experimentally demonstrate that a system in which our proposed API name resolution has been implemented enables us to correctly identify imported APIs even when malware authors apply various position obfuscation techniques to their malware.

show abstract

“…One closely related study is by Abrath et al [2]. They proposed a technique of linking Windows-system DLLs statically with an executable and deleting imported API information from it to prevent API calls from being monitored.…”

Section: Related Workmentioning

confidence: 99%

“…Stealth Loader evaded all the tools. IAT Obfuscation and API Redirection are techniques for API obfuscation while ldrmodules is a tool for extracting loaded DLLs 2. When we manually gave the correct original entry point of a protected executable to Scylla, it could identify imported APIs correctly.…”

mentioning

confidence: 99%

Stealth Loader: Trace-free Program Loading for Analysis Evasion

Kawakoya¹,

Shioji²,

Otsuki³

et al. 2018

Journal of Information Processing

View full text Add to dashboard Cite

Understanding how application programming interfaces (APIs) are used in a program plays an important role in malware analysis. This, however, has resulted in an endless battle between malware authors and malware analysts around the development of API [de]obfuscation techniques over the last few decades. Our goal in this paper is to show the limit of existing API de-obfuscation techniques. To do that, we first analyzed existing API [de]obfuscation techniques and clarified that an attack vector commonly exists in these techniques; then, we present Stealth Loader, which is a program loader to bypass all existing API de-obfuscation techniques. The core idea of Stealth Loader is to load a dynamic link library (DLL) and resolve its dependency without leaving any traces on memory to be detected. We demonstrated the effectiveness of Stealth Loader by analyzing a set of Windows executables and malware protected with Stealth Loader using major dynamic and static analysis tools. The results indicate that among other obfuscation tools, only Stealth Loader is able to successfully bypass all analysis tools.

show abstract

Obfuscating Windows DLLs

Cited by 6 publications

References 8 publications

Layered obfuscation: a taxonomy of software obfuscation techniques for layered security

Layered obfuscation: a taxonomy of software obfuscation techniques for layered security

Taint-assisted IAT Reconstruction against Position Obfuscation

Stealth Loader: Trace-free Program Loading for Analysis Evasion

Contact Info

Product

Resources

About