A Core-Structure-Based Automated Analysis Tool for Commercial Virtualization Obfuscation Deobfuscation
This tool significantly reduces the effort required for malware analysts to deobfuscate programs using virtualization obfuscation, a powerful and increasingly prevalent technique.
This study addresses the challenge of analyzing virtualization obfuscation, which is increasingly used in malware and demands significant effort from analysts. The authors propose VMPredator, an automated tool that extracts semantic units from obfuscated programs, reducing their length by approximately 85% and fully restoring small-scale programs to their original semantics.
Virtualization obfuscation is a more powerful obfuscation technique compared to other obfuscation methods, and as it is increasingly being applied to malware, it demands significant effort and time from analysts. This study analyzes virtualization obfuscation and proposes a tool called VMPredator that automatically extracts semantic units. The proposed tool performs various analyses including memory analysis and trace analysis, while minimizing dependency on the specific internal structure of virtual machines in order to handle diverse forms of virtualization obfuscation that existing tools are unable to process. Experimental results demonstrate that the length of obfuscated programs was reduced by approximately 85%, and it was verified through validation that small-scale programs were fully restored to semantics identical to the original.