• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.29 no.6
• /
• pp.1375-1382
• /
• 2019

The latest version of commercial protector, Themida, has been updated, it is impossible to apply a normalized unpacking mechanism from previous studies by disable the use of a virtual memory allocation that provides initial data to be tracked. In addition, compared to the previous version, which had many values that determined during execution and easy to track dynamically, it is difficult to track dynamically due to values determined at the time of applying the protector. We will look at how the latest version of Themida make it difficult to normalize the API wrapping process by adopted techniques and examine the possibilities of applying the unpacking techniques to further develop an automated unpacking system.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.27 no.4
• /
• pp.785-802
• /
• 2017

As cyber threats using malicious code continue to increase, many security and vaccine companies are putting a lot of effort into analysis and detection of malicious codes. However, obfuscation techniques that make software analysis more difficult are applied to malicious codes, making it difficult to respond quickly to malicious codes. In particular, commercial obfuscation tools can quickly and easily generate new variants of malicious codes so that malicious code analysts can not respond to them. In order for analysts to quickly analyze the actual malicious behavior of the new variants, reverse obfuscation(=de-obfuscation) is needed to disable obfuscation. In this paper, general analysis methodology is proposed to de-obfuscate the software used by a commercial obfuscation tool, Themida. First, We describe operation principle of Themida by analyzing obfuscated executable file using Themida. Next, We extract original code and data information of executable from obfuscated executable using Pintool, DBI(Dynamic Binary Instrumentation) framework, and explain the implementation results of automated analysis tool which can deobfuscate to original executable using the extracted original code and data information. Finally, We evaluate the performance of our automated analysis tool by comparing the original executable with the de-obfuscated executable.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.27 no.1
• /
• pp.67-77
• /
• 2017

A protector is a software for protecting core technologies by using compression and encryption. Nowadays malwares use the protector to conceal the malicious code from the analysis. For detailed analysis of packed program, unpacking the protector is a necessary procedure. Lately, most studies focused on finding OEP to unpack the program. However, in this case, it would be difficult to analyze the program because of the limits to remove protecting functions by finding OEP. In this paper, we studied about the protecting functions in the Themida and propose an unpacking technique for it.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.32 no.2
• /
• pp.181-192
• /
• 2022

The emergence of new malware is incapacitating existing signature-based malware detection techniques., and applying various anti-analysis techniques makes it difficult to analyze. Recent studies related to signature-based malware detection have limitations in that malware creators can easily bypass them. Therefore, in this study, we try to build a machine learning model that can detect and classify the anti-analysis techniques of packers applied to malware, not using the characteristics of the malware itself. In this study, the n-gram opcodes are extracted from the malicious binary to which various anti-analysis techniques of the commercial packers are applied, and the features are extracted by using TF-IDF, and through this, each anti-analysis technique is detected and classified. In this study, real-world malware samples packed using The mida and VMProtect with multiple anti-analysis techniques were trained and tested with 6 machine learning models, and it constructed the optimal model showing 81.25% accuracy for The mida and 95.65% accuracy for VMProtect.