• Title, Summary, Keyword: Anti-Debugging

Search Result 7, Processing Time 0.068 seconds

An automatic detection scheme of anti-debugging routines to the environment for analysis (분석 환경에 따른 안티 디버깅 루틴 자동 탐지 기법)

  • Park, Jin-Woo;Park, Yong-Su
    • Journal of Internet Computing and Services
    • /
    • v.15 no.6
    • /
    • pp.47-54
    • /
    • 2014
  • Anti-debugging is one of the techniques implemented within the computer code to hinder attempts at reverse engineering so that attackers or analyzers will not be able to use debuggers to analyze the program. The technique has been applied to various programs and is still commonly used in order to prevent malware or malicious code attacks or to protect the programs from being analyzed. In this paper, we will suggest an automatic detection scheme for anti-debugging routines. With respect to the automatic detection, debuggers and a simulator were used by which trace information on the Application Program Interface(API) as well as executive instructions were extracted. Subsequently, the extracted instructions were examined and compared so as to detect points automatically where suspicious activity was captured as anti-debugging routines. Based on experiments to detect anti-debugging routines using such methods, 21 out of 25 anti-debugging techniques introduced in this paper appear to be able to detect anti-debugging routines properly. The technique in the paper is therefore not dependent upon a certain anti-debugging method. As such, the detection technique is expected to also be available for anti-debugging techniques that will be developed or discovered in the future.

The design and implementation of pin plugin tool to bypass anti-debugging techniques (Pin을 이용한 안티디버깅 우회 설계 및 구현)

  • Hong, Soohwa;Park, Yongsu
    • Journal of Internet Computing and Services
    • /
    • v.17 no.5
    • /
    • pp.33-42
    • /
    • 2016
  • Pin is a framework that creates dynamic program analysis tools and can be used to perform program analysis on user space in Linux and Windows. It is hard to analyze the program such as Anti-reversing program or malware using anti-debugging by Pin. In this paper, we will suggest the implementation of scheme bypassing anti-debugging with Pin. Each pin code is written to bypass anti-debugging detecting Pin. And Pin creates a pin tool combined with Pin codes that bypass anti-debugging methods. The pin tool are tested with files created by anti-debugging protector. The technique in the paper is expected to be a reference of code bypassing anti-debugging and be applied to bypass newly discovered anti-debugging through code modification in the future.

A Scheme on Anomaly Prevention for Systems in IoT Environment (사물인터넷 환경에서 시스템에 대한 비정상행위 방지 기법)

  • Lee, Keun-Ho
    • Journal of The Korea Internet of Things Society
    • /
    • v.5 no.2
    • /
    • pp.95-101
    • /
    • 2019
  • Entering the era of the 4th Industrial Revolution and the Internet of Things, various services are growing rapidly, and various researches are actively underway. Among them, research on abnormal behaviors on various devices that are being used in the IoT is being conducted. In a hyper-connected society, the damage caused by one wrong device can have a serious impact on the various connected systems. In this paper, We propose a technique to cope with the problem that the threats caused by various abnormal behaviors such as anti-debugging scheme, anomalous process detection method and back door detection method on how to increase the safety of the device and how to use the device and service safely in such IoT environment.

Development and Analyses of Xen based Dynamic Binary Instrumentation using Intel VT (Intel VT 기술을 이용한 Xen 기반 동적 악성코드 분석 시스템 구현 및 평가)

  • Kim, Tae-Hyoung;Kim, In-Hyuk;Eom, Young-Ik;Kim, Won-Ho
    • Journal of KIISE:Computer Systems and Theory
    • /
    • v.37 no.5
    • /
    • pp.304-313
    • /
    • 2010
  • There are several methods for malware analyses. However, it is difficult to detect malware exactly with existing detection methods. Especially, malware with strong anti-debugging facilities can detect analyzer and disturb their analyses. Furthermore, it takes too much time to analyze malware. In order to resolve these problems of current analyzers, more improved analysis scheme is required. This paper suggests a dynamic binary instrumentation which supports the instruction analysis and the memory access tracing. Additionally, by supporting the API call tracing with the DLL loading analysis, our system establishes the foundation for analyzing various executable codes. Based on Xen, full-virtualization environment is built using Intel's VT technology. Windows XP can be used as a guest. We analyze representative malware using several functions of our system, and show the accuracy and efficiency enhancements in binary analyses capability of our system.

How to Prevent Software crack for Control PE (PE Format 조작을 통한 소프트웨어 크랙 방지 기술)

  • Kim, Tae-hyoung;Jang, Jong-uk
    • Proceedings of the Korean Institute of Information and Commucation Sciences Conference
    • /
    • /
    • pp.249-251
    • /
    • 2017
  • In the past, People thought that software security was not important. but Skills of attacking software has growing up in fast, software crack fall down software industry growth and profit of copyright holder was declined. So I propose software crack prevention for changing PE Format. Hackers can analyze program in static. As we change the PE format, we can prevent static analysis. As I insert anti - debugging code the exe file, the program is protected from dynamic analysis.

  • PDF

Implementation of DAS for Performance Analysis of Heavy-Vehicle ABS (대형 차량용 ABS의 성능분석을 위한 DAS 구현)

  • Lee, Ki-Chang;Jeon, Jung-Woo;Nam, Taek-Kun;Hwang, Don-Ha;Kim, Yong-Joo
    • Proceedings of the KIEE Conference
    • /
    • /
    • pp.2373-2375
    • /
    • 2002
  • 전자 제어식 미끄럼 방지 제동 장치(ABS, Anti-lock Brake System)를 장착한 차량의 실차 제동 시험은 시험용 차량을 비롯하여, 많은 분석장비를 필요로 한다. 이러한 고가의 장비는 구하기가 어려울 뿐만 아니라 사용방법을 학습하는 데에도 상당한 기간을 필요로 하므로, 개발중인 ABS에 대하여 적용해 보기에는 그 사용에 제약을 받는다. 본 논문에서는 개발중인 미끄럼방지 제동 알고리즘과 전자제어장치(ECU, Electronic Control Unit)를 대형 버스에 장착하여, 저 점착 노면에서 주행 시험을 시행하였고, 그 주행 기록의 분석을 위하여 DAS(Data Acquisition System)를 구현하였다. 개발 ABS 알고리즘 및 ECU의 기능과 성능 검증이 목적인 DAS는 부가적인 센서 및 고가의 장비를 사용하지 않고 제어보드와 휴대용 노트북 컴퓨터를 이용하였다. 고정밀도의 자료를 획득할 수는 없었지만, 개발 DAS를 이용한 차량 실차 제동 시험은 경제적이면서도 효과적인 ECU 및 알고리즘의 성능 분석을 이룰 수 있었다. 특히 개발 DAS는 제어 및 Data Acquisition을 동일한 보드를 사용하여 구현함으로써, ABS 장착 실차 주행 시험 결과를 제어알고리즘에 즉각적으로 반영시킨 수 있었다. 이러한 One Board System 및 On-Vehicle Programming을 이용한 방법은 개발 알고리즘의 빠른 Debugging 및 파라미터 조정(Tuning)을 가능하게 하였으므로, 실차 제동 시험을 위한 한정된 기간 내에 개발 ABS ECU 및 제어 알고리즘의 성능을 효과적으로 검증할 수 있었다.

  • PDF

Improved Original Entry Point Detection Method Based on PinDemonium (PinDemonium 기반 Original Entry Point 탐지 방법 개선)

  • Kim, Gyeong Min;Park, Yong Su
    • KIPS Transactions on Computer and Communication Systems
    • /
    • v.7 no.6
    • /
    • pp.155-164
    • /
    • 2018
  • Many malicious programs have been compressed or encrypted using various commercial packers to prevent reverse engineering, So malicious code analysts must decompress or decrypt them first. The OEP (Original Entry Point) is the address of the first instruction executed after returning the encrypted or compressed executable file back to the original binary state. Several unpackers, including PinDemonium, execute the packed file and keep tracks of the addresses until the OEP appears and find the OEP among the addresses. However, instead of finding exact one OEP, unpackers provide a relatively large set of OEP candidates and sometimes OEP is missing among candidates. In other words, existing unpackers have difficulty in finding the correct OEP. We have developed new tool which provides fewer OEP candidate sets by adding two methods based on the property of the OEP. In this paper, we propose two methods to provide fewer OEP candidate sets by using the property that the function call sequence and parameters are same between packed program and original program. First way is based on a function call. Programs written in the C/C++ language are compiled to translate languages into binary code. Compiler-specific system functions are added to the compiled program. After examining these functions, we have added a method that we suggest to PinDemonium to detect the unpacking work by matching the patterns of system functions that are called in packed programs and unpacked programs. Second way is based on parameters. The parameters include not only the user-entered inputs, but also the system inputs. We have added a method that we suggest to PinDemonium to find the OEP using the system parameters of a particular function in stack memory. OEP detection experiments were performed on sample programs packed by 16 commercial packers. We can reduce the OEP candidate by more than 40% on average compared to PinDemonium except 2 commercial packers which are can not be executed due to the anti-debugging technique.