Automated static analysis of virtual-machine packers

Abstract

The ability to reverse the most advanced software protection schemes is a critical step in mitigating malicious code attacks. Unfortunately, the analyst side seems to be losing in the ongoing arms race between malware developers and reverse engineers. Obfuscation that takes advantage of a virtual- machine like architecture has proven to be one of the most difficult to deal with. Virtual-machine packers are able to hide the intentions of programs they are applied to and are resistant to formerly effective unpacking techniques. Others have proposed methods to deal with such complex protec- tions, but they are often tedious, expensive, and/or inflexible. We propose a novel approach to automate the analysis process of virtualization protected executables. Our design avoids many pit- falls and performance issues of dynamic-analysis systems by only employing static program-analysis techniques and emphasizing work-reuse and generality in order to maintain efficiency, flexibility, and accessibility, for even novice analysts. The proof-of-concept system we have developed shows promise for the future of virtual-machine protected software analysis.Item withdrawn by Mark Zulauf ([email protected]) on 2013-07-17T20:18:28Z Item was in collections: University of Illinois Theses & Dissertations (ID: 1) No. of bitstreams: 1 Leong_Joseph.pdf: 342080 bytes, checksum: ef3d2532aab6eeb2955919ea32917ed8 (MD5)Made available in DSpace on 2013-08-22T16:49:00Z (GMT). No. of bitstreams: 2 Joseph_Leong.pdf: 341845 bytes, checksum: 8262c94e87650a486743b2f366ead3d6 (MD5) license.txt: 4060 bytes, checksum: 84bb2e47b9b6c55ad84db5784a80244d (MD5)Item marked as restricted to the 'UIUC Users [automated]' Group (id=2) by Seth Robbins ([email protected]) on 2013-08-22T16:49:44Z Item is restricted until 2015-08-22T16:49:27ZRestriction data tranferred 2014-07-01T11:34:28-05:00 Original Data Group with Access UIUC Users [automated] Release Date: 2015-08-22 11:49:27 UTC Reason: Author requested U of Illinois access only (OA after 2yrs) in Vireo ETD systemU of I Only Restriction Lifted for Item 45577 on 2015-08-22T10:00:35Z