An API deobfuscation method combining dynamic and static techniques

API calls analysis is usually used for malicious behavior detection, but malware authors adopt encryption techniques to hide API information where calling them dynamically. Consequently, the decryption of internal ciphertext data in malware is now critical for malware analysis. In this paper, we proposed a novel approach to automatically resolve the encryption strings from malware. By analyzing the inherent dependencies between functions, we automatically identified decryption routine and extracted its context. To reveal the encryption API names, the proposed approach loads the malware and constructs context of decryption routine, and then forces the program calling decryption routines. The feasibility of our approach is demonstrated by implementing a prototype framework called ADSD(API Deobfuscation based on Static and Dynamic techniques).

[1]  Baowen Xu,et al.  A brief survey of program slicing , 2005, SOEN.

[2]  Ian P. Gent,et al.  Minion: A Fast Scalable Constraint Solver , 2006, ECAI.

[3]  Jeffrey G. Gray,et al.  Pattern transformation for two-dimensional separation of concerns , 2005, ACM SIGSOFT Softw. Eng. Notes.

[4]  Sarfraz Khurshid,et al.  Symbolic execution for software testing in practice: preliminary assessment , 2011, 2011 33rd International Conference on Software Engineering (ICSE).

[5]  Ziming Zhao,et al.  Automatic Extraction of Secrets from Malware , 2011, 2011 18th Working Conference on Reverse Engineering.

[6]  David Brumley,et al.  All You Ever Wanted to Know about Dynamic Taint Analysis and Forward Symbolic Execution (but Might Have Been Afraid to Ask) , 2010, 2010 IEEE Symposium on Security and Privacy.

[7]  Anton Soloi,et al.  An encryption algorithm , 2015, 2015 7th International Conference on Electronics, Computers and Artificial Intelligence (ECAI).