flow-oriented disassembler prevention

From ema
Jump to navigation Jump to search
EMA ID: ema-1227
Description: The 'flow-oriented disassembler prevention' Behavior defeats disassembly of the malware instance in a flow-oriented (recursive traversal) disassembler. Some examples also apply to linear disassemblers.

Examples:

  • Flow Opcodes: flow opcodes are removed and emulated (or decrypted) by the packer during execution.
  • Conditional Misdirection: Conditional jumps are sometimes used to confuse disassembly engines, resulting in the wrong instruction boundaries and thus wrong mnemonic and operands; easy to “see” when jmp/jcc to a label+# (e.g., JNE loc_401345fe+2).
  • Value Dependent Jumps: Explicit use of computed values for control flow, often many times in the same basic block or function.

Associated Capabilities/Subcapabilities: Capability.png Anti-Static Analysis

Associated With flow-oriented disassembler prevention
No results        
References:
Date Malware Family URL
January 1, 2014 http://staff.ustc.edu.cn/~bjhua/courses/security/2014/readings/anti-disas.pdf