Skip to main content
Conference Proceedings

SymSem: Symbolic Execution with Time Stamps for Deobfuscation

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (2020) 12020 LNCS 225-245
DOI: 10.1007/978-3-030-42921-8_13
0Citations
Citations of this article
2Readers
Mendeley users who have this article in their library.
Get full text

Abstract

Code virtualization technique obfuscates programs by transforming original code to self-defined bytecode in a different instruction architecture. It is widely used in obfuscating malware for its ability to render normal analysis ineffective. Using symbolic execution to assist in deobfuscating such programs turned to be a trend in recent research. However, we found many challenges that may lead to semantic confusion in previous symbolic execution technique, and proposed a novel symbolic execution technique enhanced by time stamps to tackle these issues. For evaluation, we implemented it as a prototype of SymSem and deobfuscated programs protected by popular virtual machines. The results indicate that our method is able to accurately recover the semantics of obfuscated function trace.

Author supplied keywords

Cite

CITATION STYLE

APA

Li, H., Zhan, Y., Jianqiang, W., & Gu, D. (2020). SymSem: Symbolic Execution with Time Stamps for Deobfuscation. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (Vol. 12020 LNCS, pp. 225–245). Springer. https://doi.org/10.1007/978-3-030-42921-8_13

Register to see more suggestions

Mendeley helps you to discover research relevant for your work.

Already have an account?

Save time finding and organizing research with Mendeley

Sign up for free