Twinner: A framework for automated software deobfuscation

Malware analysis is essential to understanding the internal logic and intent of malware programs in order to mitigate their threats. As the analysis methods have evolved, malware authors have adopted more techniques such as the virtualization obfuscation to protect the malware inner workings. This manuscript presents a framework for deobfuscating software, which abstracts the input program as much as a mathematical model of its behavior through monitoring every single operation performed during the malware execution. Also, the program is guided to run through its different execution paths automatically in order to gather as much knowledge as possible in the shortest time span. This makes it possible to find hidden logics and deobfuscate different obfuscation techniques without being dependent on their specific details. The resulting model is recoded as a C program without the artificially added complexities. This code is called a twincode and behaves in the same manner as the obfuscated binary. As a proof of concept, the proposed framework is implemented and its effectiveness is evaluated on obfuscated binaries. Program control flow graphs are inspected as a measure of successful code recovery. The performance of the proposed framework is evaluated using the set of SPEC test programs. (C) 2019 Sharif University of Technology. All rights reserved.