Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.
On deobfuscation  in practice Vasily Bukasov Dmitry Schelkunov
Obfuscation applications <ul><li>Software protection against computer piracy </li></ul><ul><li>Malware protection against ...
Obfuscators and protectors <ul><li>Manual obfuscation requires a lot of resources </li></ul><ul><li>It’s much easier to us...
Common code protection techniques <ul><li>Code encryption (out of scope of our report) </li></ul><ul><li>Code virtualizati...
Code virtualization <ul><li>Converts a source assembler code to the specially generated byte-code </li></ul><ul><li>Insert...
Code virtualization <ul><li>Byte-code mostly represents original assembler instructions so its execution has the same effe...
Code virtualization Get instruction byte-code Byte-code  fetching loop Get instruction arguments from VM context or from a...
VM context <ul><li>Contains variables associated with processor registers </li></ul><ul><li>Contains VM state </li></ul><u...
VM context location <ul><li>Dynamically allocated memory (VirtualAlloc, HeapAlloc) </li></ul><ul><li>Global memory (access...
VM stack context layout Stack of the  protected code Reserved area VM context rSP 0 Not initialized
« Virtualized »  addition <ul><li>void  unoptimal_addition(  int  a,  int  b,  int  *p ) </li></ul><ul><li>{ </li></ul><ul...
Virtualized code execution Getting byte-code Loading from VM context Instruction execution Saving to VM context  Getting b...
Code devirtualization <ul><li>We can locate VM context </li></ul><ul><li>We can get CFG in most cases </li></ul><ul><li>We...
Code morphing <ul><li>Used to increase resistance to the static analysis </li></ul><ul><li>Used for the CFG obfuscation </...
Code morphing and CFG obfuscation Therefore protectors don’t even try to do it   It’s a difficult task to decompile a mac...
Code morphing and CFG obfuscation Data dependencies analysis is weak in protectors Therefore they are limited in choice of...
Code morphing common techniques Recursive templates Instruction Instruction Instruction … Instruction Template Template Te...
Code morphing common techniques <ul><li>Dead code insertion </li></ul><ul><li>Garbage code insertion </li></ul><ul><li>Opa...
Morphed code deobfuscation <ul><li>Decompilation into IR </li></ul><ul><li>IR instruction emulation </li></ul><ul><li>Coll...
Ariadne engine <ul><li>An engine for RE </li></ul><ul><li>Can be used as IDA plugin </li></ul><ul><li>Enables PE format an...
Ariadne engine <ul><li>Supports assembler instructions translation into  Ariadne Intermediate Representation (AIR) </li></...
Ariadne engine <ul><li>Contains built-in trace deobfuscation ( AIR Wave Deobfuscation Technology ) </li></ul>
AIR Wave Deobfuscation Technology <ul><li>Static deobfuscation </li></ul><ul><ul><li>based on the classical compiler theor...
AIR Wave Deobfuscation Technology <ul><li>Dynamic deobfuscation </li></ul><ul><ul><li>uses  Ariadne IR emulator </li></ul>...
AIR Wave Deobfuscation Technology <ul><li>Deobfuscation techniques </li></ul><ul><ul><li>dead code elimination </li></ul><...
AIR Wave Deobfuscation Technology <ul><li>Deobfuscation techniques </li></ul><ul><ul><li>loop unrolling </li></ul></ul><ul...
Our results <ul><li>Many obfuscators/protectors provide a weak obfuscation </li></ul><ul><li>Ariadne engine  can be effect...
AIR Wave Deobfuscation Technology <ul><li>Tested on … </li></ul><ul><li>See it for yourself   </li></ul>
And our thanks go… <ul><li>To  Rolf Rolles  for his works about virtualization obfuscation unpacking </li></ul><ul><li>To ...
Ariadne engine <ul><li>http://ariadne.group-ib.ru </li></ul>
Prochain SlideShare
Chargement dans…5
×
  • Soyez le premier à commenter

On deobfuscation in practice

  1. 1. On deobfuscation in practice Vasily Bukasov Dmitry Schelkunov
  2. 2. Obfuscation applications <ul><li>Software protection against computer piracy </li></ul><ul><li>Malware protection against automatic detection and to impede analysis of a malicious code </li></ul>
  3. 3. Obfuscators and protectors <ul><li>Manual obfuscation requires a lot of resources </li></ul><ul><li>It’s much easier to use obfuscators and protectors which promise a strong obfuscation </li></ul>
  4. 4. Common code protection techniques <ul><li>Code encryption (out of scope of our report) </li></ul><ul><li>Code virtualization </li></ul><ul><li>Code morphing </li></ul>
  5. 5. Code virtualization <ul><li>Converts a source assembler code to the specially generated byte-code </li></ul><ul><li>Inserts byte-code and byte-code interpreter into the source PE file </li></ul>
  6. 6. Code virtualization <ul><li>Byte-code mostly represents original assembler instructions so its execution has the same effect as from the original instructions </li></ul>
  7. 7. Code virtualization Get instruction byte-code Byte-code fetching loop Get instruction arguments from VM context or from another location Process instruction Save result into VM context or into another location
  8. 8. VM context <ul><li>Contains variables associated with processor registers </li></ul><ul><li>Contains VM state </li></ul><ul><li>Its location can be easily found in most cases </li></ul>
  9. 9. VM context location <ul><li>Dynamically allocated memory (VirtualAlloc, HeapAlloc) </li></ul><ul><li>Global memory (access via spinlock) </li></ul><ul><li>Stack </li></ul>
  10. 10. VM stack context layout Stack of the protected code Reserved area VM context rSP 0 Not initialized
  11. 11. « Virtualized » addition <ul><li>void unoptimal_addition( int a, int b, int *p ) </li></ul><ul><li>{ </li></ul><ul><li>int u, v, t, *r; </li></ul><ul><li>u = a; </li></ul><ul><li>v = b; </li></ul><ul><li>r = p; </li></ul><ul><li>  </li></ul><ul><li>t = u + v; </li></ul><ul><li>*r = t; </li></ul><ul><li>} </li></ul>
  12. 12. Virtualized code execution Getting byte-code Loading from VM context Instruction execution Saving to VM context Getting byte-code Loading from VM context Instruction execution Saving to VM context This code is asking to be optimized  etc…
  13. 13. Code devirtualization <ul><li>We can locate VM context </li></ul><ul><li>We can get CFG in most cases </li></ul><ul><li>We can use common code optimization algorithms to deobfuscate a virtualized code </li></ul>
  14. 14. Code morphing <ul><li>Used to increase resistance to the static analysis </li></ul><ul><li>Used for the CFG obfuscation </li></ul><ul><li>Used to increase VM body analyzing complexity </li></ul>
  15. 15. Code morphing and CFG obfuscation Therefore protectors don’t even try to do it  It’s a difficult task to decompile a machine code
  16. 16. Code morphing and CFG obfuscation Data dependencies analysis is weak in protectors Therefore they are limited in choice of obfuscation techniques
  17. 17. Code morphing common techniques Recursive templates Instruction Instruction Instruction … Instruction Template Template Template Template
  18. 18. Code morphing common techniques <ul><li>Dead code insertion </li></ul><ul><li>Garbage code insertion </li></ul><ul><li>Opaque predicates </li></ul><ul><li>Jump address calculation </li></ul><ul><li>Code cloning </li></ul>
  19. 19. Morphed code deobfuscation <ul><li>Decompilation into IR </li></ul><ul><li>IR instruction emulation </li></ul><ul><li>Collecting variables values </li></ul><ul><li>Emulation-based deobfuscation techniques </li></ul>
  20. 20. Ariadne engine <ul><li>An engine for RE </li></ul><ul><li>Can be used as IDA plugin </li></ul><ul><li>Enables PE format analyzing, disassembling and modifying </li></ul><ul><li>Supports GP, FPU, MMX, SSE, SSE2, SSE3, SSSE3, SSE4.1, SSE4.2, SSE4a, VMX, SMX </li></ul>
  21. 21. Ariadne engine <ul><li>Supports assembler instructions translation into Ariadne Intermediate Representation (AIR) </li></ul><ul><li>Supports IR instructions emulation </li></ul><ul><li>Contains emulator-based code tracing mechanisms </li></ul>
  22. 22. Ariadne engine <ul><li>Contains built-in trace deobfuscation ( AIR Wave Deobfuscation Technology ) </li></ul>
  23. 23. AIR Wave Deobfuscation Technology <ul><li>Static deobfuscation </li></ul><ul><ul><li>based on the classical compiler theory approaches </li></ul></ul><ul><ul><li>doesn’t use emulation </li></ul></ul>
  24. 24. AIR Wave Deobfuscation Technology <ul><li>Dynamic deobfuscation </li></ul><ul><ul><li>uses Ariadne IR emulator </li></ul></ul><ul><ul><li>calculates values of variables </li></ul></ul><ul><ul><li>determines in a lot of cases where a pointer points to </li></ul></ul><ul><ul><li>used for dereferenced pointers deobfuscation </li></ul></ul>
  25. 25. AIR Wave Deobfuscation Technology <ul><li>Deobfuscation techniques </li></ul><ul><ul><li>dead code elimination </li></ul></ul><ul><ul><li>variables propagation </li></ul></ul><ul><ul><li>constant folding </li></ul></ul><ul><ul><li>math simplifications </li></ul></ul>
  26. 26. AIR Wave Deobfuscation Technology <ul><li>Deobfuscation techniques </li></ul><ul><ul><li>loop unrolling </li></ul></ul><ul><ul><li>common subexpression elimination </li></ul></ul><ul><ul><li>pointer analysis and alias classification </li></ul></ul>
  27. 27. Our results <ul><li>Many obfuscators/protectors provide a weak obfuscation </li></ul><ul><li>Ariadne engine can be effectively used for deobfuscation </li></ul>
  28. 28. AIR Wave Deobfuscation Technology <ul><li>Tested on … </li></ul><ul><li>See it for yourself  </li></ul>
  29. 29. And our thanks go… <ul><li>To Rolf Rolles for his works about virtualization obfuscation unpacking </li></ul><ul><li>To Leta Group for Ariadne sponsorship </li></ul>
  30. 30. Ariadne engine <ul><li>http://ariadne.group-ib.ru </li></ul>

×