Twinner: A framework for automated software deobfuscation

Document Type: Article

Authors

Department of Computer Engineering, Sharif University of Technology, Tehran, P.O. Box 11155/1639, Iran

Abstract

Malware analysis is essential to understanding the internal logic and intent of malware programs in order to mitigate their threats. As the analysis methods have evolved, malware authors have adopted more techniques such as the virtualization obfuscation to protect the malware inner workings. This manuscript presents a framework for deobfuscating software which abstracts the input program as much as a mathematical model of its behavior, through monitoring every single operation performed during the malware execution. Also
the program is guided to run through its di erent execution paths automatically in order to gather as much knowledge as possible in the shortest time span. This makes it possible to nd hidden logics and deobfuscate di erent obfuscation techniques without being dependent on their speci c details. The resulting model is then recoded as a C program without the arti cially added complexities. This code is called a twincode and behaves in the same manner as the obfuscated binary. As a proof of concept, the proposed framework is implemented and its e ectiveness is evaluated on obfuscated binaries. Program control  flow graphs are
inspected as a measure of successful code recovery. The performance of the proposed framework is evaluated using the set of SPEC test programs.

Keywords