<— Back

Bypassing evasive binaries with Dynamic Binary Instrumentation

Binary analysis is an important step during the reverse engineering of malicious threats. While for various reasons, some of these threats are easy to decompile and understand, others implement a lot of evasive techniques, allowing them to reach a sense of awareness for analysis environments like debuggers, sandboxes, emulators, etc. If any of these checks detect the presence of an analysis environment, the application may refuse to continue execution or it can just change the behavior to anything that might look benign. To automate the reverse engineering of such binaries, we developed COBAI (Complex Orchestrator for Binary Analysis and Instrumentation) a DBI (Dynamic Binary Analysis) framework which allows us to profile malicious binaries and create rich execution traces. Compared to existing DBIs, COBAI is capable to stack multiple plugins, fix a significant amount of evasive techniques, and only follow the application code and payloads. In this presentation we discuss the side effects of having or nut such a technology, as well as presenting a short comparative evaluation to understand its power, its limits and the effort to make it better. In our evaluation we include ransomware binaries (for Windows operating system), public tests for DBIs, as well as public benign binaries implementing hundreds of tests for various analysis environments. Among all these tests, COBAI is capable to pass short below 100% of them, where others bearly reach 30%. Our work was also published on arXiv (https://arxiv.org/abs/2306.13529), but was never presented in public.

Vlad Constantin Craciun – Bitdefender

Vlad Craciun is an Assistant Professor at the “Alexandru Ioan Cuza” University of Iasi, Faculty of Computer Science (Romania), studying the field of automated binary analysis. He joined Bitdefender Laboratories in early 2009, being involved in projects like file-infector disinfection, post-incident response, forensics, building of ransomware decryption tools and automating the reverse-engineering of binaries. His current research interests include automated binary analysis, cryptography, symbolic execution, behaviour and Control Flow Graph analysis.