Nowadays most of malware applications, as well as common software, are either packed or protected. These obfuscation techniques are applied especially to evade signature-based detectors and also to complicate the job of reverse engineers or security analysts. State-of-the-art malware detectors have adopted both static and dynamic techniques to recover the payload of a packed or self-modifying binary, but unfortunately, such techniques come with several limitations. Recently, the adoption of packer-agnostic solutions proved to be the most promising and effective approach. Indeed, many generic binary unpackers have been proposed: they extract the payload from packed binaries without requiring the prior knowledge of the packer's flavor. However, high runtime overhead and lack of anti-analysis resistance have severely limited their adoptions. In this work, we propose a stealthy generic unpacking tool, called PageBuster, which exploits as underlying idea that the original code should be present in memory and executed at some point at run-time. By monitoring program execution and written-then-executed flows at run-time in a non-intrusive way, PageBuster can extract all the pages ever executed by the target binary, be it packed or self-modifying. Moreover, PageBuster is able to deal with both known and unknown packing algorithms. In the rest of the work, we illustrate the integration between PageBuster and rev.ng. rev.ng is a reverse engineering framework, based on LLVM, that features a static binary translation tool: it translates machine code into LLVM IR, a higher-level intermediate representation, independent from the input architecture, and suitable to perform a variety of analyses and transformations. Indeed, disassembly is a crucial task in malware analysis and reverse engineering. It involves the recovery of assembly instruction from binary machine code. Correct disassembly is necessary to produce a higher-level representation of the code allowing better analysis. Nonetheless, it can be problematic in the case of packed or self-modifying code. The integration between PageBuster and rev.ng allows to produce an LLVM IR that can fully capture the self-modifying nature of the target binary. We conclude by analyzing the results we obtained both (i) evaluating PageBuster on its own with executables packed with UPX, a known and widely used packer, and (ii) lifting self-modifying binaries.
Al giorno d'oggi, la maggior parte del malware, cosi come comune software, è packato o protetto. Queste tecniche di offuscazione sono usate specialmente per evadere rilevatori signature-based e per complicare il lavoro di reverse engineers e analisti di sicurezza informatica. I rilevatori di malware dello stato dell'arte adottano tecniche sia statiche che dinamiche per recuperare i dati utili di un binario packato o automodificante, ma sfortunatamente queste tecniche hanno molte limitazioni. In tempi recenti, l'adozione di soluzioni agnostiche nei confronti del tipo di packer ha dimostrato di essere l'approccio piu promettente ed efficace. Infatti, sono stati proposti molti approcci generici all'unpacking: estraggono il payload dai binari packati anche senza necessitare della conoscenza dello specifico packer. Tuttavia, un alto overhead a runtime, assieme alla mancanza di resistenza rispetto ad analisi, ne hanno limitato fortemente l'adozione. In questo lavoro, proponiamo uno strumento trasparente generico di unpacking, chiamato PageBuster, basato sul principio per cui il codice originario deve essere presente in memoria ed eseguito ad un certo instante a runtime. Monitorando l'esecuzione del programma, cosi come i flussi di scrittura-ed-esecuzione in maniera non intrusiva, PageBuster estrae tutte le pagine mai eseguite dal binario target, sia esso packato o automodificante. Inoltre, PageBuster lavora con algoritmi di packing sia conosciuti che non. Nel resto del lavoro, illustriamo il processo di integrazione avvenuto tra PageBuster e rev.ng. rev.ng è un framework di ingegneria inversa basato su LLVM che possiede uno strumento di traduzione statica di binari: traduce codice macchina in LLVM IR, una rappresentazione intermedia di alto livello, indipendente dalla architettura in ingresso, ed adatto a varie forme di analisi e ottimizzazione. Infatti, la capacità di disassemblare è un compito cruciale nel campo dell'analisi del malware e dell'ingegneria inversa. Consiste nel recupero delle istruzioni assembly dal codice macchina binario. Un corretto ottenimento di codice assembly è necessario per produrre una rappresentazione di più alto livello del codice permettendo una migliore analisi. Tuttavia, gestire codice packato o automodificante può essere problematico. L'integrazione tra PageBuster e rev.ng permette di produrre un LLVM IR che riesce a riflettere la natura automodificante del binario target. Concludiamo analizzando i risultati ottenuti sia (i) valutando PageBuster in isolamento con eseguibili packati con UPX, un packer noto e largamente usato, sia (ii) liftando binari automodificanti.
PageBuster : combining stealthy generic unpacking tool with static analysis for packed and self-modifying binaries
Giordano, Matteo
2020/2021
Abstract
Nowadays most of malware applications, as well as common software, are either packed or protected. These obfuscation techniques are applied especially to evade signature-based detectors and also to complicate the job of reverse engineers or security analysts. State-of-the-art malware detectors have adopted both static and dynamic techniques to recover the payload of a packed or self-modifying binary, but unfortunately, such techniques come with several limitations. Recently, the adoption of packer-agnostic solutions proved to be the most promising and effective approach. Indeed, many generic binary unpackers have been proposed: they extract the payload from packed binaries without requiring the prior knowledge of the packer's flavor. However, high runtime overhead and lack of anti-analysis resistance have severely limited their adoptions. In this work, we propose a stealthy generic unpacking tool, called PageBuster, which exploits as underlying idea that the original code should be present in memory and executed at some point at run-time. By monitoring program execution and written-then-executed flows at run-time in a non-intrusive way, PageBuster can extract all the pages ever executed by the target binary, be it packed or self-modifying. Moreover, PageBuster is able to deal with both known and unknown packing algorithms. In the rest of the work, we illustrate the integration between PageBuster and rev.ng. rev.ng is a reverse engineering framework, based on LLVM, that features a static binary translation tool: it translates machine code into LLVM IR, a higher-level intermediate representation, independent from the input architecture, and suitable to perform a variety of analyses and transformations. Indeed, disassembly is a crucial task in malware analysis and reverse engineering. It involves the recovery of assembly instruction from binary machine code. Correct disassembly is necessary to produce a higher-level representation of the code allowing better analysis. Nonetheless, it can be problematic in the case of packed or self-modifying code. The integration between PageBuster and rev.ng allows to produce an LLVM IR that can fully capture the self-modifying nature of the target binary. We conclude by analyzing the results we obtained both (i) evaluating PageBuster on its own with executables packed with UPX, a known and widely used packer, and (ii) lifting self-modifying binaries.| File | Dimensione | Formato | |
|---|---|---|---|
|
thesis.pdf
accessibile in internet per tutti
Descrizione: Master dissertation's pdf.
Dimensione
1.36 MB
Formato
Adobe PDF
|
1.36 MB | Adobe PDF | Visualizza/Apri |
I documenti in POLITesi sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
https://hdl.handle.net/10589/179481