Code virtualization technique obfuscates programs by transforming original code to self-defined bytecode in a different instruction architecture. It is widely used in obfuscating malware for its ability to render normal analysis ineffective. Using symbolic execution to assist in deobfuscating such programs turned to be a trend in recent research. However, we found many challenges that may lead to semantic confusion in previous symbolic execution technique, and proposed a novel symbolic execution technique enhanced by time stamps to tackle these issues. For evaluation, we implemented it as a prototype of SymSem and deobfuscated programs protected by popular virtual machines. The results indicate that our method is able to accurately recover the semantics of obfuscated function trace.
CITATION STYLE
Li, H., Zhan, Y., Jianqiang, W., & Gu, D. (2020). SymSem: Symbolic Execution with Time Stamps for Deobfuscation. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (Vol. 12020 LNCS, pp. 225–245). Springer. https://doi.org/10.1007/978-3-030-42921-8_13
Mendeley helps you to discover research relevant for your work.