How to recover virtualized x86 instructions by Themida

Zhenxiang Jim Wang Microsoft

In recent years, we have started to see the emergence of third-generation packer technology used on obfuscating malware. Generally, packer technology evolution can be divided into three generations:

  • First generation: Compressor
  • Second generation: Protector
  • Third generation: VM protection system
We observe a upward trend of increasing prevalence of third-generation packers from the packer distribution statistics we actively track.

To date, there are two kinds of technology traditionally used to deal with packed malware:

  • Emulation, also called generic unpacking
  • Static unpacking

We will show in this paper that third-generation packers are armed with technologies targeted at defeating these traditional de-obfuscation approaches.

The third generation of packers often translate lots of x86 opcodes to equivalent VM instruction series which can be interpreted by the VM interpreter. To prevent itself from being cracked, the interpreter always is heavily code-obfuscated. Taking Themida as an example, an x86 instruction will be implemented by executing about 10,000-25,000 instructions. This gives the third-generation packers a natural anti-emulation ability. It is infeasible for the emulators that are implemented by present emulation technology to decrypt a piece of malware that is packed by a packer of this kind in a reasonable length of time. But how to recover x86 virtualized instructions is one of the difficulties in developing static unpackers.

In this paper, we propose a methodology, based on pattern-matching technology, to recover virtualized x86 instructions, and thereby de-obfuscate the packer in an efficient manner. Specifically in the case of Themida, we will show how this approach can:

  • handle obfuscation techniques employed by Themida VM
  • determine the function of all Themida VM double-byte instructions
  • determine all random values used in all of the VM instructions generated randomly by Themida packer
  • generate VM instructions
  • translate VM instructions into X86 instructions

How to recover virtualized x86 instructions by Themida 2009Zhenxiang Jim Wang Microsoft

VB Conferences

VB2016 (Denver)

VB2015 (Prague)

VB2014 (Seattle)

VB2013 (Berlin)

VB2012 (Dallas)

VB2011 (Barcelona)

VB2010 (Vancouver)

VB2009 (Geneva)

VB2008 (Ottawa)

VB2007 (Vienna)

VB2006 (Montréal)

VB2005 (Dublin)

VB2004 (Chicago)

VB2003 (Toronto)

VB2002 (New Orleans)

VB2001 (Prague)

VB2000 (Orlando)

VB99 (Vancouver)

VB98 (Munich)

VB97 (San Francisco)

VB96 (Brighton)

VB95 (Boston)

VB94 (Jersey)

VB93 (Amsterdam)

VB92 (Edinburgh)

VB91 (Jersey)

‘This was my first attendance at a Virus Bulletin conference and I found it extremely worthwhile - excellent speakers, good discussions, valuable networking and generally a decent educational venue.’

Jobs Recruit Sidebar