O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.
On deobfuscation   in practice    Vasily Bukasov   Dmitry Schelkunov
Obfuscation applications• Software protection against  computer piracy• Malware protection against  automatic detection an...
Obfuscators and protectors• Manual obfuscation requires a lot  of resources• It’s much easier to use  obfuscators and prot...
Common code protection     techniques• Code encryption (out of  scope of our report)• Code virtualization• Code morphing
Code virtualization• Converts a source assembler  code to the specially generated  byte-code• Inserts byte-code and byte- ...
Code virtualization Byte-code mostly representsoriginal assembler instructions so its execution has the same  effect as fr...
Code virtualization                   Get instruction byte-codeByte-code              Get instruction arguments from VM fe...
VM context• Contains variables associated  with processor registers• Contains VM state• Its location can be easily found i...
VM context location• Dynamically allocated memory  (VirtualAlloc, HeapAlloc)• Global memory (access via  spinlock)• Stack
VM stack context layout                      0    Not initialized     VM context       rSP    Reserved area    Stack of th...
«Virtualized» additionvoid unoptimal_addition( int a, int b, int *p ){    int u, v, t, *r;    u = a;    v = b;    r = p;  ...
Virtualized code execution   Getting byte-codeLoading from VM context   This code is  Instruction execution   asking to be...
Code devirtualization• We can locate VM context• We can get CFG in most cases• We can use common code  optimization algori...
Code morphing• Used to increase resistance to  the static analysis• Used for the CFG obfuscation• Used to increase VM body...
Code morphing and CFG       obfuscationIt’s a difficult task to decompilea machine codeTherefore protectors don’t eventry ...
Code morphing and CFG       obfuscationData dependencies analysis isweak in protectorsTherefore they are limited inchoice ...
Code morphing common      techniques              Recursive templates                 Template      Template              ...
Code morphing common         techniques• Dead code insertion• Garbage code insertion• Opaque predicates• Jump address calc...
Morphed code deobfuscation• Decompilation into IR• IR instruction emulation• Collecting variables values• Emulation-based ...
Ariadne engine• An engine for RE• Can be used as IDA plugin• Enables PE format analyzing,  disassembling and modifying• Su...
Ariadne engine• Supports assembler instructions  translation into Ariadne  Intermediate Representation  (AIR)• Supports IR...
Ariadne engine• Contains built-in trace  deobfuscation (AIR Wave  Deobfuscation Technology)
AIR Wave Deobfuscation       Technology• Static deobfuscation –based on the classical compiler  theory approaches –doesn’t...
AIR Wave Deobfuscation       Technology• Dynamic deobfuscation –uses Ariadne IR emulator –calculates values of variables –...
AIR Wave Deobfuscation      Technology• Deobfuscation techniques –dead code elimination –variables propagation –constant f...
AIR Wave Deobfuscation      Technology• Deobfuscation techniques –loop unrolling –common subexpression  elimination –point...
Our results• Many obfuscators/protectors  provide a weak obfuscation• Ariadne engine can be  effectively used for  deobfus...
AIR Wave Deobfuscation       TechnologyTested on …See it for yourself 
And our thanks go…• To Rolf Rolles for his works  about virtualization  obfuscation unpacking• To Leta Group for Ariadne  ...
Ariadne enginehttp://ariadne.group-ib.ru
Próximos SlideShares
Carregando em…5
×

Dmitry Schelkunov, Vasily Bukasov - About practical deobfuscation

International Security Conference "ZeroNights 2011" - http://www.zeronights.org/

  • Entre para ver os comentários

Dmitry Schelkunov, Vasily Bukasov - About practical deobfuscation

  1. 1. On deobfuscation in practice Vasily Bukasov Dmitry Schelkunov
  2. 2. Obfuscation applications• Software protection against computer piracy• Malware protection against automatic detection and to impede analysis of a malicious code
  3. 3. Obfuscators and protectors• Manual obfuscation requires a lot of resources• It’s much easier to use obfuscators and protectors which promise a strong obfuscation
  4. 4. Common code protection techniques• Code encryption (out of scope of our report)• Code virtualization• Code morphing
  5. 5. Code virtualization• Converts a source assembler code to the specially generated byte-code• Inserts byte-code and byte- code interpreter into the source PE file
  6. 6. Code virtualization Byte-code mostly representsoriginal assembler instructions so its execution has the same effect as from the original instructions
  7. 7. Code virtualization Get instruction byte-codeByte-code Get instruction arguments from VM fetching context or from another location loop Process instruction Save result into VM context or into another location
  8. 8. VM context• Contains variables associated with processor registers• Contains VM state• Its location can be easily found in most cases
  9. 9. VM context location• Dynamically allocated memory (VirtualAlloc, HeapAlloc)• Global memory (access via spinlock)• Stack
  10. 10. VM stack context layout 0 Not initialized VM context rSP Reserved area Stack of the protected code
  11. 11. «Virtualized» additionvoid unoptimal_addition( int a, int b, int *p ){ int u, v, t, *r; u = a; v = b; r = p; t = u + v; *r = t;}
  12. 12. Virtualized code execution Getting byte-codeLoading from VM context This code is Instruction execution asking to be Saving to VM context Getting byte-code optimized Loading from VM context Instruction execution Saving to VM context etc…
  13. 13. Code devirtualization• We can locate VM context• We can get CFG in most cases• We can use common code optimization algorithms to deobfuscate a virtualized code
  14. 14. Code morphing• Used to increase resistance to the static analysis• Used for the CFG obfuscation• Used to increase VM body analyzing complexity
  15. 15. Code morphing and CFG obfuscationIt’s a difficult task to decompilea machine codeTherefore protectors don’t eventry to do it 
  16. 16. Code morphing and CFG obfuscationData dependencies analysis isweak in protectorsTherefore they are limited inchoice of obfuscation techniques
  17. 17. Code morphing common techniques Recursive templates Template Template Instruction Instruction TemplateInstruction … Instruction Template
  18. 18. Code morphing common techniques• Dead code insertion• Garbage code insertion• Opaque predicates• Jump address calculation• Code cloning
  19. 19. Morphed code deobfuscation• Decompilation into IR• IR instruction emulation• Collecting variables values• Emulation-based deobfuscation techniques
  20. 20. Ariadne engine• An engine for RE• Can be used as IDA plugin• Enables PE format analyzing, disassembling and modifying• Supports GP, FPU, MMX, SSE, SSE2, SSE3, SSSE3, SSE4.1, SSE4.2, SSE4a, VMX, SMX
  21. 21. Ariadne engine• Supports assembler instructions translation into Ariadne Intermediate Representation (AIR)• Supports IR instructions emulation• Contains emulator-based code tracing mechanisms
  22. 22. Ariadne engine• Contains built-in trace deobfuscation (AIR Wave Deobfuscation Technology)
  23. 23. AIR Wave Deobfuscation Technology• Static deobfuscation –based on the classical compiler theory approaches –doesn’t use emulation
  24. 24. AIR Wave Deobfuscation Technology• Dynamic deobfuscation –uses Ariadne IR emulator –calculates values of variables –determines in a lot of cases where a pointer points to –used for dereferenced pointers deobfuscation
  25. 25. AIR Wave Deobfuscation Technology• Deobfuscation techniques –dead code elimination –variables propagation –constant folding –math simplifications
  26. 26. AIR Wave Deobfuscation Technology• Deobfuscation techniques –loop unrolling –common subexpression elimination –pointer analysis and alias classification
  27. 27. Our results• Many obfuscators/protectors provide a weak obfuscation• Ariadne engine can be effectively used for deobfuscation
  28. 28. AIR Wave Deobfuscation TechnologyTested on …See it for yourself 
  29. 29. And our thanks go…• To Rolf Rolles for his works about virtualization obfuscation unpacking• To Leta Group for Ariadne sponsorship
  30. 30. Ariadne enginehttp://ariadne.group-ib.ru

×