인터넷정보학회논문지 (Journal of Internet Computing and Services)

  • 제15권6호
  • /
  • Pages.47-54
  • /
  • 2014
  • /
  • 1598-0170(pISSN)
  • /
  • 2287-1136(eISSN)
한국인터넷정보학회 (Korean Society for Internet Information)
권호 표지
DOI QR코드

DOI QR Code

분석 환경에 따른 안티 디버깅 루틴 자동 탐지 기법

An automatic detection scheme of anti-debugging routines to the environment for analysis

  • Park, Jin-Woo (Department of Electronics and Computer Engineering, Hanyang University) ;
  • Park, Yong-Su (Department of Computer Science and Engineering, Hanyang University)
  • 투고 : 2014.08.20
  • 심사 : 2014.09.15
  • 발행 : 2014.12.31
PDF 다운로드
⟨ 이전 논문 다음 논문 ⟩

초록

여러 가지 역공학 방지기술들 중 하나인 안티 디버깅 기술은 특정 프로그램을 대상으로 공격자나 분석가가 디버거를 사용하여 분석을 하지 못하도록 하기 위한 기술로써, 예전부터 악성코드 및 분석을 방지하고자 하는 여러 가지 프로그램들에 적용이 되었으며 현재까지도 많이 사용이 되고 있는 기술이다. 본 논문에서는 이러한 안티 디버깅 루틴에 대한 자동화 탐지 방법을 제안한다. 탐지는, 디버거 및 시뮬레이터를 통해 실행 명령어 및 API(Application Program Interface)에 대한 트레이스 정보들을 추출하고, 추출된 정보들을 비교하여 안티 디버깅 루틴으로 의심이 가는 지점을 찾는 방식으로 진행된다. 실험 결과, 알려진 25가지의 안티 디버깅 기법들 중 21가지에 대하여 정상적으로 탐지가 이루어졌다. 이와 같이, 본 기법은 특정 안티 디버깅 기술에 의존적이지 않으며, 추후 개발 및 발견되는 안티 디버깅 기술들에 대한 탐지의 경우에도 적용이 가능할 것으로 예상된다.

Anti-debugging is one of the techniques implemented within the computer code to hinder attempts at reverse engineering so that attackers or analyzers will not be able to use debuggers to analyze the program. The technique has been applied to various programs and is still commonly used in order to prevent malware or malicious code attacks or to protect the programs from being analyzed. In this paper, we will suggest an automatic detection scheme for anti-debugging routines. With respect to the automatic detection, debuggers and a simulator were used by which trace information on the Application Program Interface(API) as well as executive instructions were extracted. Subsequently, the extracted instructions were examined and compared so as to detect points automatically where suspicious activity was captured as anti-debugging routines. Based on experiments to detect anti-debugging routines using such methods, 21 out of 25 anti-debugging techniques introduced in this paper appear to be able to detect anti-debugging routines properly. The technique in the paper is therefore not dependent upon a certain anti-debugging method. As such, the detection technique is expected to also be available for anti-debugging techniques that will be developed or discovered in the future.

키워드

참고문헌

  1. Xu Chen, Jon Andersen, Z. Morley Mao, Michael Bailey. Towards an Understanding of Anti-virtualization and Anti-debugging Behavior in Modern Malware. Dependable Systems and Networks With FTCS and DCC (DSN 2008), pp 177-186, 2008.
  2. Pin tool. http://www.pintool.org/
  3. OllyDbg. http://www.ollydbg.de/
  4. IDA Pro. https://www.hex-rays.com/products/ida/index.shtml
  5. Tyler Shields. Anti-Debugging - A Developers View. Whitepaper, Veracode Inc, 2009.
  6. Peidai Xie, Xicheng Lu, Yongjun Wang, Jinshu Su, and Meijian Li. An Automatic Approach to Detect Anti-debugging in Malware Analysis. International Standard Conference on Trustworthy Computing and Services (ISCTCS 2012), Volume 320, pp 436-442, 2013.
  7. JaeKeun Lee, BooJoong Kang, Eul Gyu Im. Rule-based Anti-anti-debugging System. Proceedings of the 2013 Research in Adaptive and Convergent Systems (RACS 2013), pp 353-354, 2013.
  8. Davide Balzarotti, Marco Cova, Christoph Karlberger, Christopher Kruegel, Engin Kirda, and Giovanni Vigna. Efficient Detection of Split Personalities in Malware. Annual Network and Distributed System Security Symposium (NDSS 2010), 2010.