基于动态分析的底层虚拟机混淆器反混淆方法  

作　　者：寇宇 王其军 Kou Yu;Wang Qijun(School of Computer Science,Southwest Petroleum University,Chengdu 610500,China;School of Petroleum Engineering,Southwest Petroleum University,Chengdu 610500,China)

机构地区：[1]西南石油大学计算机科学学院,成都610500 [2]西南石油大学石油与天然气工程学院,成都610500

出　　处：《计算机应用研究》2022年第11期3465-3469,3474,共6页Application Research of Computers

摘　　要：底层虚拟机混淆器(OLLVM)是一个著名的代码混淆工具,除了用于保护商业软件的安全外,也被恶意代码的开发者所利用,以此增加分析难度。为便于安全研究人员对ARM恶意程序进行分析,提出并实现了基于动态分析的OLLVM自动化反混淆方法。对于虚假控制流,根据不透明谓词的内存特征监控内存读写并利用动态污点分析技术识别虚假控制流来完成反混淆;对于控制流平坦化,通过动态运行程序并记录基本块的执行顺序来完成反混淆;同时利用多执行路径构造来提高代码覆盖率,最后通过指令修复还原基本块之间的关系。实验结果表明,该方法可准确消除可执行程序中因混淆产生的条件分支,且反混淆后得到的程序其运行结果与未混淆的程序保持一致,能有效完成对ARM混淆程序的反混淆工作。The obfuscator low level virtual machine(OLLVM) is a well-known code obfuscation tool,which is not only used to protect the security of commercial software,but also used by malicious code developers to increase the difficulty of analysis.In order to facilitate the analysis of ARM malware by security researchers,this paper proposed and implemented an OLLVM automatic deobfuscation method based on dynamic analysis.For bogus control flow,this method monitored memory read and write based on the memory characteristics of opaque predicates and used dynamic taint analysis technology to identify it to complete deobfuscation.For control flow flattening,the method completed deobfuscation by dynamically running the program and recor-ding the execution order of basic blocks.At the same time,it used multiple execution paths exploration to improve code cove-rage,and finally restored the relationship between basic blocks through instruction repair.The experimental results show that the method can accurately eliminate the conditional branches caused by obfuscation in executable programs,and the running results of the deobfuscated programs are consistent with the unobfuscated programs.It verifies that the method can effectively complete the deobfuscation of ARM obfuscated programs.

关 键 词：反混淆 动态分析 指令修复 底层虚拟机混淆器 

分 类 号：TP393[自动化与计算机技术—计算机应用技术]