Twinner: A framework for automated software deobfuscation

Malware analysis is essential to understanding the internal logic and intent of malware programs in order to mitigate their threats. As the analysis methods have evolved, malware authors have adopted more techniques such as the virtualization obfuscation to protect the malware inner workings. This manuscript presents a framework for deobfuscating software, which abstracts the input program as much as a mathematical model of its behavior through monitoring every single operation performed during the malware execution. Also, the program is guided to run through its dierent execution paths automatically in order to gather as much knowledge as possible in the shortest time span. This makes it possible to nd hidden logics and deobfuscate dierent obfuscation techniques without being dependent on their specic details. The resulting model is recoded as a C program without the articially added complexities. This code is called a twincode and behaves in the same manner as the obfuscated binary. As a proof of concept, the proposed framework is implemented and its eectiveness is evaluated on obfuscated binaries. Program control ow graphs are inspected as a measure of successful code recovery. The performance of the proposed framework is evaluated using the set of SPEC test programs.