A new instruction overlapping technique for improved anti-disassembly and obfuscation of x86 binaries
Författare
Summary, in English
We propose and investigate a new novel anti-disassembly method that allows for exceptional flexibility in the hidden instructions, while at the same time providing a disassembled main path that is executable. This allows the approach to be very efficient against static linear sweep disassembly, but also to be more difficult to detect using dynamic analysis methods. The idea is to utilize highly redundant instructions, e.g., multibyte no-operation instructions, and embed the hidden code in the
configurable portions of those instructions. By carefully selecting wrapping instructions, providing overlaps, the hidden execution path can be crafted with great flexibility. We also provide a detection-algorithm, together with testing results, for testing software such that the hidden execution path can be identified.
Avdelning/ar
Publiceringsår
2013
Språk
Engelska
Sidor
25-33
Publikation/Tidskrift/Serie
Workshop on Anti-malware Testing Research (WATeR), Montreal, QC, Canada
Fulltext
- Available as PDF - 90 kB
- Download statistics
Dokumenttyp
Konferensbidrag
Förlag
IEEE - Institute of Electrical and Electronics Engineers Inc.
Ämne
- Electrical Engineering, Electronic Engineering, Information Engineering
Nyckelord
- overlapping instructions anti-disassembly hidden execution path obfuscation malware x86
Conference name
Workshop on Anti-malware Testing Research (WATeR)
Conference date
2013-10-30
Conference place
Montreal, Canada
Status
Published
Forskningsgrupp
- Crypto and Security
ISBN/ISSN/Övrigt
- ISBN: 978-1-4799-2476-9