• Title, Summary, Keyword: 안티디버깅

Search Result 6, Processing Time 0.038 seconds

The design and implementation of pin plugin tool to bypass anti-debugging techniques (Pin을 이용한 안티디버깅 우회 설계 및 구현)

  • Hong, Soohwa;Park, Yongsu
    • Journal of Internet Computing and Services
    • /
    • v.17 no.5
    • /
    • pp.33-42
    • /
    • 2016
  • Pin is a framework that creates dynamic program analysis tools and can be used to perform program analysis on user space in Linux and Windows. It is hard to analyze the program such as Anti-reversing program or malware using anti-debugging by Pin. In this paper, we will suggest the implementation of scheme bypassing anti-debugging with Pin. Each pin code is written to bypass anti-debugging detecting Pin. And Pin creates a pin tool combined with Pin codes that bypass anti-debugging methods. The pin tool are tested with files created by anti-debugging protector. The technique in the paper is expected to be a reference of code bypassing anti-debugging and be applied to bypass newly discovered anti-debugging through code modification in the future.

An automatic detection scheme of anti-debugging routines to the environment for analysis (분석 환경에 따른 안티 디버깅 루틴 자동 탐지 기법)

  • Park, Jin-Woo;Park, Yong-Su
    • Journal of Internet Computing and Services
    • /
    • v.15 no.6
    • /
    • pp.47-54
    • /
    • 2014
  • Anti-debugging is one of the techniques implemented within the computer code to hinder attempts at reverse engineering so that attackers or analyzers will not be able to use debuggers to analyze the program. The technique has been applied to various programs and is still commonly used in order to prevent malware or malicious code attacks or to protect the programs from being analyzed. In this paper, we will suggest an automatic detection scheme for anti-debugging routines. With respect to the automatic detection, debuggers and a simulator were used by which trace information on the Application Program Interface(API) as well as executive instructions were extracted. Subsequently, the extracted instructions were examined and compared so as to detect points automatically where suspicious activity was captured as anti-debugging routines. Based on experiments to detect anti-debugging routines using such methods, 21 out of 25 anti-debugging techniques introduced in this paper appear to be able to detect anti-debugging routines properly. The technique in the paper is therefore not dependent upon a certain anti-debugging method. As such, the detection technique is expected to also be available for anti-debugging techniques that will be developed or discovered in the future.

A Scheme on Anomaly Prevention for Systems in IoT Environment (사물인터넷 환경에서 시스템에 대한 비정상행위 방지 기법)

  • Lee, Keun-Ho
    • Journal of The Korea Internet of Things Society
    • /
    • v.5 no.2
    • /
    • pp.95-101
    • /
    • 2019
  • Entering the era of the 4th Industrial Revolution and the Internet of Things, various services are growing rapidly, and various researches are actively underway. Among them, research on abnormal behaviors on various devices that are being used in the IoT is being conducted. In a hyper-connected society, the damage caused by one wrong device can have a serious impact on the various connected systems. In this paper, We propose a technique to cope with the problem that the threats caused by various abnormal behaviors such as anti-debugging scheme, anomalous process detection method and back door detection method on how to increase the safety of the device and how to use the device and service safely in such IoT environment.

Design and Implementation of Anti-reversing Code Evasion Framework for Intelligent Malware Analysis (지능형 악성코드 분석을 위한 안티리버싱 코드 우회 프레임워크 설계 및 구현)

  • Lee, SunJun;Kim, KyuHo;Shin, YongGu;Yi, Jeong Hyun
    • Proceedings of the Korea Information Processing Society Conference
    • /
    • /
    • pp.218-221
    • /
    • 2018
  • 최근 악성코드의 수가 급격하게 증가하고 있으며 단순히 악성 행위를 하는 것 뿐 아니라 안티디버깅과 같은 다양한 분석 방지 기능을 탑재하여 악성코드의 분석을 어렵게 한다. 역공학 방지 기법이 적용된 지능형 악성코드를 기존 분석 도구를 사용하여 분석하면 악성행위를 하지 않거나 임의로 자기 자신을 종료시키는 방식으로 분석이 용이하지 않다. 이러한 지능형 악성코드들은 분석하기 어려울 뿐만아니라 기존 백신의 탐지 기능에 전혀 제약을 받지 않는다. 본 논문은 이와 같은 최신 지능형 악성코드에 보다 빠르게 대처하기 위해 역공학 방지 기법이 적용된 악성코드들이 메모리상에서 종료되지 않고 정상 동작하여 악성행위를 자동으로 파악할 수 있는 동적 코드 계측 프레임워크를 제안한다. 또한, 제안한 프레임워크를 개념 검증하기 위해 프로토타입을 설계 및 구현하고, 실험을 통해 그 유효성을 확인한다.

Development and Analyses of Xen based Dynamic Binary Instrumentation using Intel VT (Intel VT 기술을 이용한 Xen 기반 동적 악성코드 분석 시스템 구현 및 평가)

  • Kim, Tae-Hyoung;Kim, In-Hyuk;Eom, Young-Ik;Kim, Won-Ho
    • Journal of KIISE:Computer Systems and Theory
    • /
    • v.37 no.5
    • /
    • pp.304-313
    • /
    • 2010
  • There are several methods for malware analyses. However, it is difficult to detect malware exactly with existing detection methods. Especially, malware with strong anti-debugging facilities can detect analyzer and disturb their analyses. Furthermore, it takes too much time to analyze malware. In order to resolve these problems of current analyzers, more improved analysis scheme is required. This paper suggests a dynamic binary instrumentation which supports the instruction analysis and the memory access tracing. Additionally, by supporting the API call tracing with the DLL loading analysis, our system establishes the foundation for analyzing various executable codes. Based on Xen, full-virtualization environment is built using Intel's VT technology. Windows XP can be used as a guest. We analyze representative malware using several functions of our system, and show the accuracy and efficiency enhancements in binary analyses capability of our system.

Improved Original Entry Point Detection Method Based on PinDemonium (PinDemonium 기반 Original Entry Point 탐지 방법 개선)

  • Kim, Gyeong Min;Park, Yong Su
    • KIPS Transactions on Computer and Communication Systems
    • /
    • v.7 no.6
    • /
    • pp.155-164
    • /
    • 2018
  • Many malicious programs have been compressed or encrypted using various commercial packers to prevent reverse engineering, So malicious code analysts must decompress or decrypt them first. The OEP (Original Entry Point) is the address of the first instruction executed after returning the encrypted or compressed executable file back to the original binary state. Several unpackers, including PinDemonium, execute the packed file and keep tracks of the addresses until the OEP appears and find the OEP among the addresses. However, instead of finding exact one OEP, unpackers provide a relatively large set of OEP candidates and sometimes OEP is missing among candidates. In other words, existing unpackers have difficulty in finding the correct OEP. We have developed new tool which provides fewer OEP candidate sets by adding two methods based on the property of the OEP. In this paper, we propose two methods to provide fewer OEP candidate sets by using the property that the function call sequence and parameters are same between packed program and original program. First way is based on a function call. Programs written in the C/C++ language are compiled to translate languages into binary code. Compiler-specific system functions are added to the compiled program. After examining these functions, we have added a method that we suggest to PinDemonium to detect the unpacking work by matching the patterns of system functions that are called in packed programs and unpacked programs. Second way is based on parameters. The parameters include not only the user-entered inputs, but also the system inputs. We have added a method that we suggest to PinDemonium to find the OEP using the system parameters of a particular function in stack memory. OEP detection experiments were performed on sample programs packed by 16 commercial packers. We can reduce the OEP candidate by more than 40% on average compared to PinDemonium except 2 commercial packers which are can not be executed due to the anti-debugging technique.