Towards LLM-Based Analysis of Virtualization-Obfuscated Code through Automated Data Generation
This work addresses the need for scalable analysis of virtualization-obfuscated code, a problem for security analysts dealing with malware or software protection.
The paper tackles the challenge of analyzing virtualization-obfuscated binaries with LLMs by decomposing them into structural units and using a static analysis framework to automatically generate labeled data. The prototype achieves strong performance on real-world obfuscators.
Virtualization-based obfuscation produces extremely large and structurally complex binaries, posing challenges for LLM-based analysis due to input size limits and the need for large-scale labeled data. We address this by focusing on structural rather than full semantic analysis. Obfuscated binaries are decomposed into the largest semantically coherent units that fit within LLM constraints and are labeled according to their structural roles. We implement a static analysis framework to automate labeling and enable large-scale dataset generation. Our prototype shows strong performance on real-world virtualization obfuscators.