Difference between revisions of "Anti-disassembly"

From Unprotect Project
Jump to: navigation, search
Line 34: Line 34:
!rawspan="4"|Obscuring flow control
!rowspan="4"|Obscuring flow control
|Function pointer problem
|Function pointer problem

Revision as of 18:46, 13 November 2016

Technique Description

Malware often use anti-disassembly techniques to avoid reverse engineering. Anti-disassembly uses specially crafted code or data in a program to cause disassembly analysis tools to produce an incorrect program listing. This technique is crafted by malware authors manually, with a separate tool in the build and deployment process or interwoven into their malware’s source code.


Below is a list of all the anti-disassembly techniques in Unprotect Project:

Anti Disassembly Techniques
Techniques Description
API obfuscation API obfuscation is a technique use by malware to avoid analysis. Once reversed, the disassembler tool has the capabilities to print the API. If API obfuscation is used a CALL without the name of the function will be printed into the disassembler tool.
Opcode obfuscation
Dynamically computed target address
Disassembly synchronisation
Control flow graph flattening
Inserting junk code
Spaghetti code
Obscuring flow control Function pointer problem
Adding missing cross-ref
Return pointer abuse
Misusing SEH
Impossible disassembly
Jump instruction with same target This technique is a back-to- back conditional jump instructions that both point to the same target. If a jz loc_512 is followed by jnz loc_512, the location loc_512 will always be jumped to. The combination of jz with jnz is, in effect, an unconditional jmp, but the disassembler doesn’t recognize it as such because it only disassembles one instruction at a time.