CFGDump: A tool for generic unpacking of polymorphic packed binaries
Given the large amount of highly obfuscated and packed malicious binaries, reverse-engineers mandates for efficient ways to dig for de-obfuscated content. CFGDump is a fast dynamic mechanism to rebuild payloads and random memory dumps, back to full OS-related binary applications, including import tables and Entry Point, even though they were not available in the first place. While existing tools handle memory dumps in a standard way, CFGDump uses a CFG (Control Flow Graph) brute-force approach to recover the original Entry Point for payloads and unpacked pieces of code, as well as a CFG fingerprinting algorithm to spot the end of the unpacking sequence. Our tool is currently used to assist ransomware decryption with reliable content, starting from packed ransomware binaries.
Craciun Vlad Constantin
Vlad Craciun received his Ph.D. degree in Computer Science from the Romanian Institute “Alexandru Ioan Cuza University of Iasi”. At the moment he is involved in automating the analysis of binary applications which implements analysis-evasion and at the same time he is an assistant professor at the same University, teaching various programming technologies. He joined Bitdefender Laboratories in early 2009, dealing with disinfection of file-infectors and cryptographic analysis of ransomwares. His current research interest includes binary instrumentation, symbolic/concolic execution, and control flow analysis.