52ky 发表于 2021-6-28 12:49:09

Towards Static Analysis of Virtualization-Obfuscated Binaries by Johannes Kin...


虚拟化混淆通过将程序编译为随机虚拟架构的字节码并附加相应的解释器来保护程序免受手动或自动分析。静态分析对此类程序似乎无能为力,因为只有解释器的代码是直接可见的。

在本文中,我们解释了静态分析解释器和字节码组合的特殊挑战。用于计算可能变量值的静态分析通常只精确到程序位置。然而,在解释器循环中,这结合了来自字节码程序不同位置的无关数据流信息。

为了避免这种信息丢失,我们展示了如何将现有的静态分析提升到额外的位置维度,从而对虚拟程序计数器的值变得敏感。因此,静态分析仅合并来自相等字节码位置的数据流。我们提升了在 JAKSTAB 静态分析器中实现的现有分析,并提供了处理虚拟化混淆二进制文件的初步结果。


(Virtualization-obfuscation protects a program from manual or automated analysis by compiling it into bytecode for a randomized virtual architecture and attaching a corresponding interpreter. Static analysis appears to be helpless on such programs, where only the code of the interpreter is directly visible.

In this paper, we explain the particular challenges for statically analyzing the combination of interpreter and bytecode. Static analysis for computing possible variable values is commonly precise only to the program location. In the interpreter loop, however, this combines unrelated data flow information from different locations of the bytecode program.

To avoid this loss of information, we show how to lift an existing static analysis to an additional dimension of location, to become sensitive to the value of the virtual program counter. Thus, the static analysis merges data flow from equal bytecode locations only. We lift an existing analysis implemented in the JAKSTAB static analyzer and present preliminary results for processing a virtualization-obfuscated binary.)


页: [1]
查看完整版本: Towards Static Analysis of Virtualization-Obfuscated Binaries by Johannes Kin...