Presented at the VB2023 conference in London, 4 – 6 October 2023.
↓ Slides:
↓ Paper:
→ Details:
✪ PRESENTED BY ✪
• Georgy Kucherin (Kaspersky)
✪ ABSTRACT ✪
Code virtualization is one of the most challenging obfuscation techniques. It involves translating code into a custom instruction set that is unknown to reverse engineers. As the process of removing this obfuscation is tedious, advanced threat actors like Lazarus or FinFisher favour protecting their malware with virtualization.
Existing papers on deobfuscating virtualized code rely on creating standalone instruments. The typical workflow of such tools consists of disassembling virtualized code, optimizing it and then converting it to a known architecture such as x86. The deobfuscated code is then loaded into a reverse engineering framework such as IDA for further analysis.
In our paper, we present a novel and less arduous approach to defeating code virtualization. Rather than using standalone tools, we rely entirely on IDA Pro and Hex-Rays Decompiler, two popular reverse engineering instruments. As Hex-Rays already implements various code optimization routines, it allows deobfuscation to be performed with much less effort.
We describe our approach step by step, demonstrating how to apply it to FinSpy VM, a malware obfuscator commonly discussed in papers on code devirtualization. First, we introduce features of the IDA SDK that we use for automating deobfuscation. Then, we explain how to translate virtualized code into the x86 architecture using the disassembler API. Finally, we detail how to harness the Hex-Rays microcode to decompile the translated assembly into C and thus obtain clean devirtualized code. While describing the deobfuscation process, we will provide multiple recommendations on how to efficiently use the scripting capabilities of IDA and Hex-Rays Decompiler.
The commented code of the deobfuscator will be released along with the paper. It can be used as a template for working with other virtualized malware.
[ad_2]
source
