Deobfuscation of machine code using dynamic flow graphs

Abstract

The generation and simplification of dynamic flow graphs enable us to understand obfuscated machine code. Dynamic flow graphs are used to mitigate the effects of obfuscation using information from concrete executions. In this research, two types of dynamic flow graphs are used: dynamic data flow graphs and dynamic control flow graphs. Dynamic data flow graphs are constructed to capture the relationship between the input and output. They have both symbolic expressions and concrete values of the computation results. The effects of the obfuscation can be removed by simplifying the graphs using algebraic identities and the general properties of well-behaved programs. Dynamic control flow graphs represent the intrinsic control flow information. Their nodes have dynamic data flow graphs that correspond to the computations between variable-dependent jumps. Their edges connect the nodes, annotating the directions of the jumps with branch conditions. Before constructing dynamic control flow graphs, a dependence analysis is conducted on all jumps in the obfuscated execution to find jumps that correspond to the jumps in the original code. That is, input-dependent jumps and variable-dependent jumps are identified using dynamic data flow graphs for jump target addresses. Solvers are applied to the graphs to synthesize the branch conditions of the jumps. Input values for possible execution paths that can improve the code coverage can be identified based on an analysis of the branch conditions. The efficacy of the proposed approach is evaluated against various obfuscators. The experimental results show that the complexity of the simplified flow graphs from obfuscated executables is comparable to that from the original executables. With dynamic flow graphs, obfuscated malicious software becomes analyzable, allowing us to respond to cyberattacks more effectively.