PinShield : a dynamic layer of protection against anti-instrumentation attacks

Reverse engineers and Anti-Virus (AV) programs usually employ two techniques in order to examine malicious binaries: static analysis and dynamic analysis. The former is used in order to study a binary without executing it, while the latter analyzes the program during its execution and is usually employed as an analysis technique when the static approach is not possible due to obfuscation. Dynamic analysis is usually conducted in a controlled environment called sandbox, and through the use of tools like debuggers that allow to analyze the binary step by step. Often malware implement a lot of techniques in order to change or hide their behaviour if they detect an attempt of dynamic analysis. These countermeasures are called in literature anti-debugging and anti-sandboxing techniques. Malware that employ both anti-static-analysis and anti-dynamic-analysis techniques are notoriously difficult to analyze due to the fact that usually one strategy is used to handle the presence of the other. Thanks to the development and the improvements made on dynamic binary instrumentation (DBI) frameworks, analysts can use this new approach in their daily battle against malware. This allows professional malware researchers to study malicious binaries at a great level of details, and also, due to the deep implementation differences with the debuggers, they are immune to many anti-debugging countermeasures. Given that, in order to keep on hindering the reverse engineering process of their programs, malware authors were forced to develop a new series of countermeasures called anti-instrumentation techniques aimed to detect the presence of the DBI. Researchers answered to this problem by trying to rethink the implementation of such frameworks by creating new ones in order to increase their stealthiness, but nobody, so far, has tried to provide solutions aimed to protect the current implementation of DBI. In this thesis we have explored the possibility to develop a dynamic protection framework called PinShield that can be used to defend PIN, one of the most used and supported DBI, against anti-instrumentation attacks. Starting from the techniques discovered in literature we have first of all classified them and then we have implemented a countermeasure generic as possible to defeat every class identified. In order to achieve this we leverage the fact that the DBI has a complete control over the executed instructions of the instrumented process and so it is able to detect and dismantle any possible evasion attempts. We tested our work with three main test cases: eXait, a tool which aims to detect DBI exploiting different techniques, Obsidium, a very complete packer known to employs anti-instrumentation attacks, and PEspin, another packer which employs self-modifying code that could crash the DBI framework. In every aforementioned cases PinShield were able to avoid PIN to be detected permitting the analysis of the original protected program.