Difference between revisions of "Anti-disassembly"

From Unprotect Project
Jump to: navigation, search
m (Admin moved page Anti-Disassembly to Anti-disassembly)
(Techniques)
Line 13: Line 13:
 
!Description
 
!Description
 
|-
 
|-
!colspan="2"|Imported function obfuscation
+
!colspan="2"|API obfuscation
|
+
|API obfuscation is a technique use by malware to avoid analysis. Once reversed, the disassembler tool has the capabilities to print the API. If API obfuscation is used a CALL without the name of the function will be printed into the disassembler tool.
 
|-
 
|-
 
!colspan="2"|Opcode obfuscation
 
!colspan="2"|Opcode obfuscation
Line 41: Line 41:
 
|-
 
|-
 
!colspan="2"|Jump instruction with same target
 
!colspan="2"|Jump instruction with same target
|
+
|This technique is a back-to- back conditional jump instructions that both point to the same target. If a <code>jz loc_512</code> is followed by <code>jnz loc_512</code>, the location <code>loc_512</code> will always be jumped to. The combination of jz with jnz is, in effect, an unconditional jmp, but the disassembler doesn’t recognize it as such because it only disassembles one instruction at a time.
 
|-
 
|-
 
|}
 
|}
  
 
==References==
 
==References==

Revision as of 18:40, 13 November 2016

Technique Description

Malware often use anti-disassembly techniques to avoid reverse engineering. Anti-disassembly uses specially crafted code or data in a program to cause disassembly analysis tools to produce an incorrect program listing. This technique is crafted by malware authors manually, with a separate tool in the build and deployment process or interwoven into their malware’s source code.

Techniques

Below is a list of all the anti-disassembly techniques in Unprotect Project:

Anti Disassembly Techniques
Techniques Description
API obfuscation API obfuscation is a technique use by malware to avoid analysis. Once reversed, the disassembler tool has the capabilities to print the API. If API obfuscation is used a CALL without the name of the function will be printed into the disassembler tool.
Opcode obfuscation
Dynamically computed target address
Disassembly synchronisation
Control flow graph flattening
Inserting junk code
Spaghetti code
Obscuring flow control
Impossible disassembly
Jump instruction with same target This technique is a back-to- back conditional jump instructions that both point to the same target. If a jz loc_512 is followed by jnz loc_512, the location loc_512 will always be jumped to. The combination of jz with jnz is, in effect, an unconditional jmp, but the disassembler doesn’t recognize it as such because it only disassembles one instruction at a time.

References