UnThemida: Commercial obfuscation technique analysis with a fully obfuscated program

Jae Hyuk Suk, Jae Yung Lee, Hongjoo Jin, In-Seok Kim, Dong Hoon Lee

Research output: Contribution to journalArticle

3 Citations (Scopus)

Abstract

The main goal of code obfuscation is to make software more difficult to reverse engineer. These techniques modify data structures and control flow while retaining the functionality of the original program. Although obfuscation is a useful method for protecting programs, it can also be used to protect malware. This raises concerns that malware could use code obfuscation to avoid detection by antivirus software. It is very difficult to analyze the functionality of obfuscated malware before it has been deobfuscated. Furthermore, commercial obfuscation tools allow malware authors to apply multiple obfuscation options simultaneously, and current deobfuscation techniques cannot handle this situation. In this study, we analyzed a well-known commercial obfuscation tool called Themida. We applied its many obfuscation options to a program and implemented a tool to recover the original code and data. We extracted features from obfuscated programs and analyzed their control flow. Our tool is based on these features and the control flow patterns and can identify whether Themida has been applied to the program and which obfuscation options have been used. Finally, we suggested a method for recovering the import address table of programs by using dynamic binary instrumentation. The proposed rules and algorithms can almost completely recover the APIs of programs even though they are hidden by obfuscation options provided by Themida.

Original languageEnglish
JournalSoftware - Practice and Experience
DOIs
Publication statusAccepted/In press - 2018 Jan 1

    Fingerprint

Keywords

  • Debugging
  • Packer
  • Reverse engineering
  • Software implementation
  • Software protection

ASJC Scopus subject areas

  • Software

Cite this