Hybrid emulation for bypassing anti-reversing techniques and analyzing malware
DC Field | Value | Language |
---|---|---|
dc.contributor.author | Choi, Seokwoo | - |
dc.contributor.author | Chang, Taejoo | - |
dc.contributor.author | Yoon, Sung-woo | - |
dc.contributor.author | Park, Yongsu | - |
dc.date.accessioned | 2022-07-07T09:15:30Z | - |
dc.date.available | 2022-07-07T09:15:30Z | - |
dc.date.created | 2021-05-11 | - |
dc.date.issued | 2021-01 | - |
dc.identifier.issn | 0920-8542 | - |
dc.identifier.uri | https://scholarworks.bwise.kr/hanyang/handle/2021.sw.hanyang/144002 | - |
dc.description.abstract | Malware uses a variety of anti-reverse engineering techniques, which makes its analysis difficult. Dynamic analysis tools, e.g., debuggers, DBI (Dynamic Binary Instrumentation), and CPU emulators, do not provide both accuracy and convenience when analyzing complex malware, which utilizes diverse anti-reversing techniques. Debuggers are convenient, but are easily detected by anti-debugging techniques. DBI tools are better for bypassing anti-reversing techniques than debuggers, but cannot execute complex programs correctly. Emulators are not designed for precise malware analysis. To address the problem fundamentally, we developed a new approach completely different from the previous works. We present a new dynamic analysis scheme for malware, which includes automatic detection and evasion of various anti-reversing techniques. This approach combines a CPU simulator and actual code execution, i.e., machine instructions are simulated with the CPU simulator, whereas API functions are directly executed when they are called. In this method, the CPU simulator can precisely execute code without modifying the code chunks for trampolines. Moreover, our method takes advantage of the OS functionalities, including thread management or interrupt handling. We conducted experiments on 16 widely used protectors, which show that our method outperforms conventional tools: Pin, DynamoRIO, Apate, and OllyAdvanced. Our scheme can unpack 15 protectors and bypass the anti-debugging techniques associated with them. | - |
dc.language | 영어 | - |
dc.language.iso | en | - |
dc.publisher | SPRINGER | - |
dc.title | Hybrid emulation for bypassing anti-reversing techniques and analyzing malware | - |
dc.type | Article | - |
dc.contributor.affiliatedAuthor | Park, Yongsu | - |
dc.identifier.doi | 10.1007/s11227-020-03270-6 | - |
dc.identifier.scopusid | 2-s2.0-85084092960 | - |
dc.identifier.wosid | 000527495100002 | - |
dc.identifier.bibliographicCitation | JOURNAL OF SUPERCOMPUTING, v.77, no.1, pp.471 - 497 | - |
dc.relation.isPartOf | JOURNAL OF SUPERCOMPUTING | - |
dc.citation.title | JOURNAL OF SUPERCOMPUTING | - |
dc.citation.volume | 77 | - |
dc.citation.number | 1 | - |
dc.citation.startPage | 471 | - |
dc.citation.endPage | 497 | - |
dc.type.rims | ART | - |
dc.type.docType | Article | - |
dc.description.journalClass | 1 | - |
dc.description.isOpenAccess | N | - |
dc.description.journalRegisteredClass | scie | - |
dc.description.journalRegisteredClass | scopus | - |
dc.relation.journalResearchArea | Computer Science | - |
dc.relation.journalResearchArea | Engineering | - |
dc.relation.journalWebOfScienceCategory | Computer Science, Hardware & Architecture | - |
dc.relation.journalWebOfScienceCategory | Computer Science, Theory & Methods | - |
dc.relation.journalWebOfScienceCategory | Engineering, Electrical & Electronic | - |
dc.subject.keywordPlus | Application programming interfaces (API) | - |
dc.subject.keywordPlus | Malware | - |
dc.subject.keywordPlus | Reverse engineering | - |
dc.subject.keywordPlus | Simulators | - |
dc.subject.keywordPlus | Anti-reverse engineerings | - |
dc.subject.keywordPlus | Automatic Detection | - |
dc.subject.keywordPlus | Complex programs | - |
dc.subject.keywordPlus | Dynamic analysis tools | - |
dc.subject.keywordPlus | Dynamic binary instrumentation | - |
dc.subject.keywordPlus | Interrupt handling | - |
dc.subject.keywordPlus | Machine instructions | - |
dc.subject.keywordPlus | Malware analysis | - |
dc.subject.keywordPlus | Program debugging | - |
dc.subject.keywordAuthor | Dynamic analysis | - |
dc.subject.keywordAuthor | Anti-reverse engineering | - |
dc.subject.keywordAuthor | Malware | - |
dc.subject.keywordAuthor | Computer security | - |
dc.identifier.url | https://link.springer.com/article/10.1007/s11227-020-03270-6 | - |
Items in ScholarWorks are protected by copyright, with all rights reserved, unless otherwise indicated.
222, Wangsimni-ro, Seongdong-gu, Seoul, 04763, Korea+82-2-2220-1365
COPYRIGHT © 2021 HANYANG UNIVERSITY.
Certain data included herein are derived from the © Web of Science of Clarivate Analytics. All rights reserved.
You may not copy or re-distribute this material in whole or in part without the prior written consent of Clarivate Analytics.