Evading Malware Analysis Using Reverse Execution
This addresses a security threat for malware analysts by enabling evasion of detection, though it appears incremental as it builds on existing self-debugging techniques.
The paper tackles the problem of malware detection evasion by introducing a method based on single-step reverse execution using self-debugging, demonstrating feasibility with a real implementation on Linux x86-64 that produces different results when run forward versus reverse.
Malware is a security threat, and various means are adapted to detect and block them. In this paper, we demonstrate a method where malware can evade malware analysis. The method is based on single-step reverse execution of code using the self-debugging feature. We discuss how self-debugging code works and use that to derive reverse execution for any payload. Further, we demonstrate the feasibility of a detection evading malware through a real implementation that targets Linux x86-64 architecture for a reference implementation. The reference implementation produces one result when run in one direction and a different result when run in the reverse direction.