Computer malware codes are usually heavily obfuscated via a variety of techniques that make it difficult to understand the logic of the code. Existing tools for malware analysis do not provide much support for automatically removing such obfuscations, which therefore requires a great deal of time-consuming manual intervention. This project aims to develop techniques and tools to automate the identification and removal of obfuscation code from malware programs, focusing in particular on a class of obfuscations called "virtualization-based obfuscation". It uses program analysis techniques to identify instructions that affect the program's observable behavior; these instructions are extracted and, where appropriate, simplified to obtain the deobfuscated malware code. The main impact of this project will be to make it easier and quicker for security researchers to figure out the internal logic of malware programs. This, in turn, will make it possible to respond more quickly to new malware and develop countermeasures to them faster and with less manual intervention. The effect will be to reduce the damage done by malware before they can be neutralized.
SHF: Small: Reverse Engineering Obfuscated Executables