Automatic Detection and Bypassing of Anti-Debugging Techniques for Microsoft Windows Environments

• Main Authors: PARK, J., JANG, Y.-H., HONG, S., PARK, Y.
• Format: Article
• Language: English
• Published: Stefan cel Mare University of Suceava 2019-05-01
• Series: Advances in Electrical and Computer Engineering
• Subjects: computer hacking; computer security; debugging; reverse engineering; software protection
• Online Access: http://dx.doi.org/10.4316/AECE.2019.02003

In spite of recent remarkable advances in binary code analysis, adversaries are still using diverse anti-reversing techniques for obfuscating code and making analysis difficult. Unlike most of the previous work that relies on debugger-plugins for neutralizing anti-debugging techniques, we focus on the Pin, which is one of the most widely used DBI (Dynamic Binary Instrumentation) tools in 80x86 environments. In this paper, we present an automatic anti-debugging detection/bypassing scheme using the Pin. In order to evaluate the effectiveness of our algorithm, we conducted experiments on 17 most widely used (commercial) protectors, which results in bypassing all anti-debugging techniques automatically. Particularly, our experiment includes Safengine, which is one of the most complex commercial protectors and, to the best of our knowledge, it has not been successfully analyzed by academic researchers up to now. Also, experimental results show that the proposed scheme performs better than the most recent work, Apate.