File download information...
Modern packers use API obfuscation techniques to obstruct malware sandboxes and reverse engineers. In such packers, API call instructions are replaced with equivalent lengthy and complex code. API obfuscation techniques can be categorized into two according to the obfuscation time - static and dynamic. Static obfuscation embeds obfuscated instructions into the executable file. Dynamic obfuscation allocates a new memory block and copies obfuscated API function code into the newly allocated block. For dynamic obfuscation, I suggest memory access analysis. Previous approaches use pattern matching of the obfuscating code or code optimization on instruction trace. Pattern matching and code optimization based approaches are fragile to pattern change along the version up of the packers. My approach utilizes the API function obfuscation process which is harder to change than obfuscation pattern. Embedded obfuscator in packed file obfuscates each API function during runtime by reading the original API function code and writing the obfuscated API code on a newly allocated memory block. Memory access analysis relates memory reads of each API function and its corresponding memory writes. Memory access analysis produces a map from the obfuscated API function addresses to the original API function. Obfuscated API calls are retrieved by obfuscated call pattern at OEP. Each obfuscated call instruction is replaced by the deobfuscated API calls of which the call target is resolved by the map from memory access analysis. This deobfuscation method is implemented with Intel Pin to record each memory read/write/execute of the packed binary. For static obfuscation, I suggest iterative run-until-API method. Previous approaches used code emulators to identify obfuscated API calls. But most code emulators are not appropriate for deobfuscation because they are developed for emulating the whole operating system. Developing own emulators is time consuming because it requires implementing comple... Read more↗
|Updated||10 months ago|
|Checked||1 month ago|
|Keywords||us pitts repurposing onionduke single case study around reusing nation state malware pdf onion duke|
us-15-Pitts-Repurposing-OnionDuke-A-Single-Case-Study-Around-Reusing-Nation-State-Malware.pdf is a portable multi-platform document format that may contain an ebook, report, manual or general purpose data. The download size as indicated by the server is 8.73MB (9151141 bytes). The host server on www.blackhat.com has returned application/pdf as the content type of the download which was updated on 05/11/2018 and was last checked by Webeaver.com crawlers on 01/31/2019. You may use one or more of the following keywords [us pitts repurposing onionduke single case study around reusing nation state malware pdf onion duke] to search for other files related to the one you are about to download.