SHF: Small: Reverse Engineering Obfuscated Executables

SHF：小型：逆向工程混淆的可执行文件

• 批准号: 1016058
• 负责人: Saumya Debray
• 金额: $ 10万
• 依托单位: University of Arizona
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2010
• 资助国家: 美国
• 起止时间: 2010-09-01 至 2012-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1016058&HistoricalAwards=false
• 关键词: SHF; Small; Reverse; Engineering; Obfuscated

Computer malware codes are usually heavily obfuscated via a variety of techniques that make it difficult to understand the logic of the code. Existing tools for malware analysis do not provide much support for automatically removing such obfuscations, which therefore requires a great deal of time-consuming manual intervention. This project aims to develop techniques and tools to automate the identification and removal of obfuscation code from malware programs, focusing in particular on a class of obfuscations called "virtualization-based obfuscation". It uses program analysis techniques to identify instructions that affect the program's observable behavior; these instructions are extracted and, where appropriate, simplified to obtain the deobfuscated malware code. The main impact of this project will be to make it easier and quicker for security researchers to figure out the internal logic of malware programs. This, in turn, will make it possible to respond more quickly to new malware and develop countermeasures to them faster and with less manual intervention. The effect will be to reduce the damage done by malware before they can be neutralized.

计算机恶意软件代码通常通过各种技术严重混淆，使其难以理解代码的逻辑。现有的恶意软件分析工具不支持自动删除这种混淆，因此需要大量耗时的人工干预。该项目旨在开发技术和工具，以自动识别和删除恶意软件程序中的混淆代码，特别关注一类称为“基于虚拟化的混淆”的混淆。它使用程序分析技术来识别影响程序可观察行为的指令；提取这些指令，并在适当的情况下简化，以获得解混淆的恶意软件代码。这个项目的主要影响将是使安全研究人员更容易和更快地找出恶意软件程序的内部逻辑。反过来，这将使对新的恶意软件做出更快的反应，并以更少的人工干预更快地制定对策成为可能。其效果将是在恶意软件被中和之前减少它们所造成的损害。