• Journal of Internet Computing and Services
• /
• v.15 no.6
• /
• pp.47-54
• /
• 2014

Anti-debugging is one of the techniques implemented within the computer code to hinder attempts at reverse engineering so that attackers or analyzers will not be able to use debuggers to analyze the program. The technique has been applied to various programs and is still commonly used in order to prevent malware or malicious code attacks or to protect the programs from being analyzed. In this paper, we will suggest an automatic detection scheme for anti-debugging routines. With respect to the automatic detection, debuggers and a simulator were used by which trace information on the Application Program Interface(API) as well as executive instructions were extracted. Subsequently, the extracted instructions were examined and compared so as to detect points automatically where suspicious activity was captured as anti-debugging routines. Based on experiments to detect anti-debugging routines using such methods, 21 out of 25 anti-debugging techniques introduced in this paper appear to be able to detect anti-debugging routines properly. The technique in the paper is therefore not dependent upon a certain anti-debugging method. As such, the detection technique is expected to also be available for anti-debugging techniques that will be developed or discovered in the future.

• Journal of Internet Computing and Services
• /
• v.17 no.5
• /
• pp.33-42
• /
• 2016

Pin is a framework that creates dynamic program analysis tools and can be used to perform program analysis on user space in Linux and Windows. It is hard to analyze the program such as Anti-reversing program or malware using anti-debugging by Pin. In this paper, we will suggest the implementation of scheme bypassing anti-debugging with Pin. Each pin code is written to bypass anti-debugging detecting Pin. And Pin creates a pin tool combined with Pin codes that bypass anti-debugging methods. The pin tool are tested with files created by anti-debugging protector. The technique in the paper is expected to be a reference of code bypassing anti-debugging and be applied to bypass newly discovered anti-debugging through code modification in the future.

• Journal of Internet of Things and Convergence
• /
• v.5 no.2
• /
• pp.95-101
• /
• 2019

Entering the era of the 4^th Industrial Revolution and the Internet of Things, various services are growing rapidly, and various researches are actively underway. Among them, research on abnormal behaviors on various devices that are being used in the IoT is being conducted. In a hyper-connected society, the damage caused by one wrong device can have a serious impact on the various connected systems. In this paper, We propose a technique to cope with the problem that the threats caused by various abnormal behaviors such as anti-debugging scheme, anomalous process detection method and back door detection method on how to increase the safety of the device and how to use the device and service safely in such IoT environment.

• Journal of KIISE:Computer Systems and Theory
• /
• v.37 no.5
• /
• pp.304-313
• /
• 2010

There are several methods for malware analyses. However, it is difficult to detect malware exactly with existing detection methods. Especially, malware with strong anti-debugging facilities can detect analyzer and disturb their analyses. Furthermore, it takes too much time to analyze malware. In order to resolve these problems of current analyzers, more improved analysis scheme is required. This paper suggests a dynamic binary instrumentation which supports the instruction analysis and the memory access tracing. Additionally, by supporting the API call tracing with the DLL loading analysis, our system establishes the foundation for analyzing various executable codes. Based on Xen, full-virtualization environment is built using Intel's VT technology. Windows XP can be used as a guest. We analyze representative malware using several functions of our system, and show the accuracy and efficiency enhancements in binary analyses capability of our system.

• KIPS Transactions on Computer and Communication Systems
• /
• v.10 no.11
• /
• pp.297-304
• /
• 2021

Commercial obfuscation tools (protectors) aim to create difficulties in analyzing the operation process of software by applying obfuscation techniques and Anti-reversing techniques that delay and interrupt the analysis of programs in software reverse engineering process. In particular, in case of virtualization detection and anti-debugging functions, the analysis tool exits the normal execution flow and terminates the program. In this paper, we analyze Anti-reversing techniques of executables with Debugger Detection and Viralization Tools Detection options through VMProtect 3.5.0, one of the commercial obfuscation tools (protector), and address bypass methods using Pin. In addition, we predicted the location of the applied obfuscation technique by finding out a specific program termination routine through API analysis since there is a problem that the program is terminated by the Anti-VM technology and the Anti-DBI technology and drew up the algorithm flowchart for bypassing the Anti-reversing techniques. Considering compatibility problems and changes in techniques from differences in versions of the software used in experiment, it was confirmed that the bypass was successful by writing the pin automation bypass code in the latest version of the software (VMProtect, Windows, Pin) and conducting the experiment. By improving the proposed analysis method, it is possible to analyze the Anti-reversing method of the obfuscation tool for which the method is not presented so far and find a bypass method.

• Proceedings of the Korean Institute of Information and Commucation Sciences Conference
• /
• 2017.05a
• /
• pp.249-251
• /
• 2017

In the past, People thought that software security was not important. but Skills of attacking software has growing up in fast, software crack fall down software industry growth and profit of copyright holder was declined. So I propose software crack prevention for changing PE Format. Hackers can analyze program in static. As we change the PE format, we can prevent static analysis. As I insert anti - debugging code the exe file, the program is protected from dynamic analysis.

• Proceedings of the KIEE Conference
• /
• 2002.07d
• /
• pp.2373-2375
• /
• 2002

전자 제어식 미끄럼 방지 제동 장치(ABS, Anti-lock Brake System)를 장착한 차량의 실차 제동 시험은 시험용 차량을 비롯하여, 많은 분석장비를 필요로 한다. 이러한 고가의 장비는 구하기가 어려울 뿐만 아니라 사용방법을 학습하는 데에도 상당한 기간을 필요로 하므로, 개발중인 ABS에 대하여 적용해 보기에는 그 사용에 제약을 받는다. 본 논문에서는 개발중인 미끄럼방지 제동 알고리즘과 전자제어장치(ECU, Electronic Control Unit)를 대형 버스에 장착하여, 저 점착 노면에서 주행 시험을 시행하였고, 그 주행 기록의 분석을 위하여 DAS(Data Acquisition System)를 구현하였다. 개발 ABS 알고리즘 및 ECU의 기능과 성능 검증이 목적인 DAS는 부가적인 센서 및 고가의 장비를 사용하지 않고 제어보드와 휴대용 노트북 컴퓨터를 이용하였다. 고정밀도의 자료를 획득할 수는 없었지만, 개발 DAS를 이용한 차량 실차 제동 시험은 경제적이면서도 효과적인 ECU 및 알고리즘의 성능 분석을 이룰 수 있었다. 특히 개발 DAS는 제어 및 Data Acquisition을 동일한 보드를 사용하여 구현함으로써, ABS 장착 실차 주행 시험 결과를 제어알고리즘에 즉각적으로 반영시킨 수 있었다. 이러한 One Board System 및 On-Vehicle Programming을 이용한 방법은 개발 알고리즘의 빠른 Debugging 및 파라미터 조정(Tuning)을 가능하게 하였으므로, 실차 제동 시험을 위한 한정된 기간 내에 개발 ABS ECU 및 제어 알고리즘의 성능을 효과적으로 검증할 수 있었다.

• KIPS Transactions on Computer and Communication Systems
• /
• v.7 no.6
• /
• pp.155-164
• /
• 2018

Many malicious programs have been compressed or encrypted using various commercial packers to prevent reverse engineering, So malicious code analysts must decompress or decrypt them first. The OEP (Original Entry Point) is the address of the first instruction executed after returning the encrypted or compressed executable file back to the original binary state. Several unpackers, including PinDemonium, execute the packed file and keep tracks of the addresses until the OEP appears and find the OEP among the addresses. However, instead of finding exact one OEP, unpackers provide a relatively large set of OEP candidates and sometimes OEP is missing among candidates. In other words, existing unpackers have difficulty in finding the correct OEP. We have developed new tool which provides fewer OEP candidate sets by adding two methods based on the property of the OEP. In this paper, we propose two methods to provide fewer OEP candidate sets by using the property that the function call sequence and parameters are same between packed program and original program. First way is based on a function call. Programs written in the C/C++ language are compiled to translate languages into binary code. Compiler-specific system functions are added to the compiled program. After examining these functions, we have added a method that we suggest to PinDemonium to detect the unpacking work by matching the patterns of system functions that are called in packed programs and unpacked programs. Second way is based on parameters. The parameters include not only the user-entered inputs, but also the system inputs. We have added a method that we suggest to PinDemonium to find the OEP using the system parameters of a particular function in stack memory. OEP detection experiments were performed on sample programs packed by 16 commercial packers. We can reduce the OEP candidate by more than 40% on average compared to PinDemonium except 2 commercial packers which are can not be executed due to the anti-debugging technique.