Twinner: A framework for automated software deobfuscation

Document Type : Article


Department of Computer Engineering, Sharif University of Technology, Tehran, P.O. Box 11155/1639, Iran


Malware analysis is essential to understanding the internal logic and intent of malware programs in order to mitigate their threats. As the analysis methods have evolved, malware authors have adopted more techniques such as the virtualization obfuscation to protect the malware inner workings. This manuscript presents a framework for deobfuscating software which abstracts the input program as much as a mathematical model of its behavior, through monitoring every single operation performed during the malware execution. Also
the program is guided to run through its di erent execution paths automatically in order to gather as much knowledge as possible in the shortest time span. This makes it possible to nd hidden logics and deobfuscate di erent obfuscation techniques without being dependent on their speci c details. The resulting model is then recoded as a C program without the arti cially added complexities. This code is called a twincode and behaves in the same manner as the obfuscated binary. As a proof of concept, the proposed framework is implemented and its e ectiveness is evaluated on obfuscated binaries. Program control  flow graphs are
inspected as a measure of successful code recovery. The performance of the proposed framework is evaluated using the set of SPEC test programs.


1.Global Research & Analysis Team (GReAT), Equation group: Questions and answers", Kaspersky Labs, group questions and answers.pdf Online. Retrieved on 25th Feb 2015.
2. sKyWIper Analysis Team skywiper: A complex malware for targeted attacks", Tech. Rep., Laboratory of Cryptography and System Security (CrySyS Lab), Budapest University of Technology and Economics (2012).
3. Rolles, R. Unpacking virtualization obfuscators", 3rd USENIX Conference on O_ensive Technologies, USENIX Association, pp. 1-1 (2009).
4. Kinder, J. Towards static analysis of virtualizationobfuscated binaries", 19th Working Conference on Reverse Engineering (WCRE), IEEE, pp. 61-70 (2012). 5. Yadegari, B., Johannesmeyer, B., Whitely, B., et al. A generic approach to automatic deobfuscation of executable code", 2015 IEEE Symposium on Security and Privacy, IEEE, pp. 674-691 (2015). 6. Sharif, M., Lanzi, A., Gi_n, J., et al. Automatic reverse engineering of malware emulators", 30th IEEE Symposium on Security and Privacy, IEEE, pp. 94-109 (2009). 7. Newsome, J., Karp, B., and Song, D. Polygraph: Automatically generating signatures for polymorphic worms", IEEE Symposium on Security and Privacy, IEEE, pp. 226-241 (2005).