17 November 2016 - 14h30
Formal Approaches for Automatic Deobfuscation and Reverse-engineering of Protected Codes
by Robin David from CEA LIST
Abstract: This work has been presented à BlackHat Europe 2016: https://www.blackhat.com/eu-16/briefings.html#code-deobfuscation-intertwining-dynamic-static-and-symbolic-approaches
Malware analysis is a growing research field due to the criticity and variety of assets
targeted as well as the increasing implied costs. These softwares frequently use evasion
tricks aiming at hindering detection and analysis techniques. Among these, obfuscation
intent to hide the program behavior. This talk present the potential of Dynamic
Symbolic Execution (DSE) for reverse-engineering. This talks presents two variants of
DSE algorithms adapted and designed to fit on protected codes. The first is a flexible
definition of the DSE path predicate computation based on concretization and symbolization.
The second is based on the definition of a backward-bounded symbolic execution algorithm.
Then, we show how to combine these techniques with static analysis in order to get
the best of them. These algorithms have been implemented in different tools
Binsec/se, Pinsec and Idasec interacting alltogether and tested on several malicious
codes and commercial packers. This talk will highlight and present various practical
examples of this tools and especially the deobfuscation of the X-tunnel malware used
by the APT28 group.