A new instruction overlapping technique for improved anti-disassembly and obfuscation of x86 binaries
Author
Summary, in English
We propose and investigate a new novel anti-disassembly method that allows for exceptional flexibility in the hidden instructions, while at the same time providing a disassembled main path that is executable. This allows the approach to be very efficient against static linear sweep disassembly, but also to be more difficult to detect using dynamic analysis methods. The idea is to utilize highly redundant instructions, e.g., multibyte no-operation instructions, and embed the hidden code in the
configurable portions of those instructions. By carefully selecting wrapping instructions, providing overlaps, the hidden execution path can be crafted with great flexibility. We also provide a detection-algorithm, together with testing results, for testing software such that the hidden execution path can be identified.
Department/s
Publishing year
2013
Language
English
Pages
25-33
Publication/Series
Workshop on Anti-malware Testing Research (WATeR), Montreal, QC, Canada
Full text
- Available as PDF - 90 kB
- Download statistics
Document type
Conference paper
Publisher
IEEE - Institute of Electrical and Electronics Engineers Inc.
Topic
- Electrical Engineering, Electronic Engineering, Information Engineering
Keywords
- overlapping instructions anti-disassembly hidden execution path obfuscation malware x86
Conference name
Workshop on Anti-malware Testing Research (WATeR)
Conference date
2013-10-30
Conference place
Montreal, Canada
Status
Published
Research group
- Crypto and Security
ISBN/ISSN/Other
- ISBN: 978-1-4799-2476-9