2016 - RAMBO: Run-time packer Analysis with Multiple Branch Observation…
2016 - RAMBO: Run-time packer Analysis with Multiple Branch Observation
Run-time packing is a technique employed by malware authors in order to conceal (e.g., encrypt) malicious code and recover it at run-time
Shifting decode frames
Decrypt individual regions of code on demand, re-encrypting them again when they are not running
Particularly efective in cases in which the sample employs anti-sandbox techniques to conditionally execute the payload, or when it is designed to communicate with external entities
Run-time packers that only decrypt individual regions of code on demand, re-encrypting them again when they are not running
We do not need to execute all possible paths, but only to guide the execution in a way to maximize the recovered code.
Analysis engine based on Vine-IL, an intermediate language, that allows to design control-flow and data-flow analysis algorithms.
To trace the execution of a binary, applying dynamic taint analysis,
Modified version of multi-path exploration applying a set of domain specific optimizations that allow to selectively explore certain interesting regions of code of the original program protected by the packer
Execute the sample in a single-path execution mode and extract different pieces of information
Analyze the packer structure and identify the regions of memory that contain the protected code
Extract the memory that was unpacked in this first run, and compute the control flow graph of the unpacked code in order to provides a list containing the control flow instructions that lead to new regions.
Apply our optimized multi-path exploration engine using this pre-computed information to prioritize paths that will likely drive to the unpacking of new regions.
Allows to evaluate a program over a set of symbolic inputs instead of concrete values.
Indirect memory accesses
A constraint solver can evaluate the symbolic expression that must be satised to follow a given path, providing an appropriate set of values for each input variable
Save the execution state before a conditional jump is evaluated
Similiar to Exploring multiple execution paths for malware
Dynamic Taint Analysis
Taint the output of the APIs
e.g. network operations, file operations
Target Code Selection
In shifting-decode-frames, we can distinguish two
parts in the code.
Goal only requires to apply multi-path exploration to the protected code, avoiding the decryption and anti-analysis routines.
Domain specifc optimizations
Custom optimizations that simplify the multi-path exploration problem in the case of binary unpacking.
Multi-path exploration problem in binary unpacking
Blocking API calls.
String comparison optimization.
Local and global consistency.
Partial symbolic execution.
Inconsistent multi-path exploration
Traditional symbolic execution approaches cannot execute certain paths
Heuristic to guide the multipath exploration
Determine which paths should be
A heuristic based on the intuition that, for a packer protected using the shifting-decode-frames technique, a subset of its execution paths (i.e., one or several instructions in the program) can trigger the execution of a region
It is not necessary to explore all the possible paths in order to fully unpack all the content of a binary.
The system extracts all the executed code and unpacked memory regions from a single-path execution trace in order to recover as much code as possible.
Multi-path exploration has difficulty in scaling with real world binaries
Main solution to shifting decode frames is to apply multi-path exploration to trigger the unpacking of all the code regions
A set of optimizations for the application of multi-path exploration to binaries protected by shifting-decode-frames
We introduce a new heuristic that can guide multi-path \ exploration to unpack previously unseen regions of code