Symbolic Deobfuscation: From Virtualized Code Back to the Original

• Published in: Detection of Intrusions and Malware, and Vulnerability Assessment pp. 372 - 392
• Main Authors: Salwan, Jonathan, Bardin, Sébastien, Potet, Marie-Laure
• Format: Book Chapter
• Language: English
• Published: Cham Springer International Publishing
• Series: Lecture Notes in Computer Science
• ISBN: 3319934104; 9783319934105
• ISSN: 0302-9743; 1611-3349
• DOI: 10.1007/978-3-319-93411-2_17

Software protection has taken an important place during the last decade in order to protect legit software against reverse engineering or tampering. Virtualization is considered as one of the very best defenses against such attacks. We present a generic approach based on symbolic path exploration, taint and recompilation allowing to recover, from a virtualized code, a devirtualized code semantically identical to the original one and close in size. We define criteria and metrics to evaluate the relevance of the deobfuscated results in terms of correctness and precision. Finally we propose an open-source setup allowing to evaluate the proposed approach against several forms of virtualization.