linear disassembler prevention

From ema
Jump to navigation Jump to search
EMA ID: ema-1229
Description: The 'linear disassembler prevention' Behavior prevent the disassembly of the malware instance in a linear disassembler. Some examples also apply to flow-oriented disassemblers.

Examples:

  • Conditional Misdirection: Conditional jumps are sometimes used to confuse disassembly engines, resulting in the wrong instruction boundaries and thus wrong mnemonic and operands; easy to “see” when jmp/jcc to a label+# (ex: JNE loc_401345fe+2).
  • Argument Obfuscation: simple number or string arguments to API calls are calculated at runtime, making static analysis more difficult.
  • Variable Recomposition: Variables, often strings, are broken into multiple parts and store out of order, in different memory ranges, or both. They must then be recomposed before use.
  • Value Dependent Jumps: Explicit use of computed values for control flow, often many times in the same basic block or function.

Associated Capabilities/Subcapabilities: Capability.png Anti-Static Analysis

Associated With linear disassembler prevention
BehaviorInstance.png Control Graph Flattening BehaviorInstance.png Instruction Overlap      
References:
Date Malware Family URL
January 1, 2012 http://www.kernelhacking.com/rodrigo/docs/blackhat2012-paper.pdf