REDIR: Automated Static Detection of Obfuscated Anti-Debugging Techniques

Author

Adam J. Smith

Date of Award

3-14-2014

Document Type

Thesis

Degree Name

Master of Science

Department

Department of Electrical and Computer Engineering

First Advisor

Robert F. Mills, PhD.

Abstract

Reverse Code Engineering (RCE) to detect anti-debugging techniques in software is a very difficult task. Code obfuscation is an anti-debugging technique makes detection even more challenging. The Rule Engine Detection by Intermediate Representation (REDIR) system for automated static detection of obfuscated anti-debugging techniques is a prototype designed to help the RCE analyst improve performance through this tedious task. Three tenets form the REDIR foundation. First, Intermediate Representation (IR) improves the analyzability of binary programs by reducing a large instruction set down to a handful of semantically equivalent statements. Next, an Expert System (ES) rule-engine searches the IR and initiates a sensemaking process for anti-debugging technique detection. Finally, an IR analysis process confirms the presence of an anti-debug technique. The REDIR system is implemented as a debugger plug-in. Within the debugger, REDIR interacts with a program in the disassembly view. Debugger users can instantly highlight anti-debugging techniques and determine if the presence of a debugger will cause a program to take a conditional jump or fall through to the next instruction.

AFIT Designator

AFIT-ENG-14-M-69

DTIC Accession Number

ADA602419

Recommended Citation

Smith, Adam J., "REDIR: Automated Static Detection of Obfuscated Anti-Debugging Techniques" (2014). Theses and Dissertations. 625.
https://scholar.afit.edu/etd/625