Evading Malware Analysis Using Reverse Execution

Adhokshaj Mishra; Animesh Roy; Manjesh Kumar Hanawal

arXiv:2111.13894·cs.CR·November 30, 2021

Evading Malware Analysis Using Reverse Execution

Adhokshaj Mishra, Animesh Roy, Manjesh Kumar Hanawal

PDF

TL;DR

This paper presents a novel method for malware to evade analysis by employing reverse execution through self-debugging, demonstrated on Linux x86-64, showing how malware can produce different results when executed in reverse.

Contribution

It introduces a new reverse execution technique using self-debugging features to enable malware to evade analysis tools.

Findings

01

Successfully implemented reverse execution on Linux x86-64

02

Demonstrated malware evasion by producing different outputs in reverse

03

Proved feasibility of self-debugging based evasion techniques

Abstract

Malware is a security threat, and various means are adapted to detect and block them. In this paper, we demonstrate a method where malware can evade malware analysis. The method is based on single-step reverse execution of code using the self-debugging feature. We discuss how self-debugging code works and use that to derive reverse execution for any payload. Further, we demonstrate the feasibility of a detection evading malware through a real implementation that targets Linux x86-64 architecture for a reference implementation. The reference implementation produces one result when run in one direction and a different result when run in the reverse direction.

Peer Reviews

No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.

Videos

No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.