基于动态分析的底层虚拟机混淆器反混淆方法.

The low level virtual machine obfuscator(OLLVM) is a well-known code obfuscation tool, which is not only used to protect the security of commercial software, but also used by malicious code developers to increase the difficulty of analysis. In order to facilitate the analysis of ARM malware by security researchers, this paper proposed and implemented an OLLVM automatic deobfuscation method based on dynamic analysis. For bogus control flow, this method monitored memory read and write based on the memory characteristics of opaque predicates and used dynamic taint analysis technology to identify it to complete deobfuscation; for control flow flattening, the method completed deobfuscation by dynamically running the program and recording the execution order of basic blocks; at the same time, multiple execution paths exploration was used to improve code coverage, and finally the relationship between basic blocks was restored through instruction repair. The experimental results show that the method could accurately eliminate the conditional branches caused by obfuscation in executable programs, and the running results of the deobfuscated programs was consistent with the unobfuscated programs. It verifies that the method can effectively complete the deobfuscation of ARM obfuscated programs. [ABSTRACT FROM AUTHOR]