Obfuscation Code Localization Based on CFG Generation of Malware

Author Nguyen Minh Hai, Mizuhito Ogawa, Quan Thanh Tho
Author website
Description This paper presents a tool BE-PUM (Binary Emulator for PUshdown Model generation), which generates a precise control flow graph (CFG), under presence of typical obfuscation techniques of malware, e.g., indirect jump, self-modification, overlapping instructions, and structured exception handler (SEH), which cover packers. Experiments are performed on 2000 real-world malware examples taken from VX Heaven and compare the results of a popular commercial disassembler IDA Pro, a state-of-the-art tool JakStab, and BE-PUM. It shows that BE-PUM correctly traces CFGs, whereas IDA Pro and JakStab fail. By manual inspection on 300 malware examples, we also observe that the starts of these failures exactly locate the entries of obfuscation code.
Image no image available
Size 524.56kB
Date Tuesday 17 May 2016 - 01:28:19
Downloads 296
0/5 : Not rated