A generic approach to automatic deobfuscation of executable code

Babak Yadegari, Brian Johannesmeyer, Ben Whitely, Saumya Debray

Research output: Chapter in Book / Report / Conference proceedingConference contributionAcademicpeer-review


Malicious software are usually obfuscated to avoid detection and resist analysis. When new malware is encountered, such obfuscations have to be penetrated or removed ('deobfuscated') in order to understand the internal logic of the code and devise countermeasures. This paper discusses a generic approach for deobfuscation of obfuscated executable code. Our approach does not make any assumptions about the nature of the obfuscations used, but instead uses semantics-preserving program transformations to simplify away obfuscation code. We have applied a prototype implementation of our ideas to a variety of different kinds of obfuscation, including emulation-based obfuscation, emulation-based obfuscation with runtime code unpacking, and return-oriented programming. Our experimental results are encouraging and suggest that this approach can be effective in extracting the internal logic from code obfuscated using a variety of obfuscation techniques, including tools such as Themida that previous approaches could not handle.

Original languageEnglish
Title of host publicationProceedings - 2015 IEEE Symposium on Security and Privacy, SP 2015
PublisherInstitute of Electrical and Electronics Engineers Inc.
Number of pages18
ISBN (Electronic)9781467369497
Publication statusPublished - 17 Jul 2015
Externally publishedYes
Event36th IEEE Symposium on Security and Privacy, SP 2015 - San Jose, United States
Duration: 18 May 201520 May 2015

Publication series

NameProceedings - IEEE Symposium on Security and Privacy
ISSN (Print)1081-6011


Conference36th IEEE Symposium on Security and Privacy, SP 2015
Country/TerritoryUnited States
CitySan Jose


  • Deobfuscation
  • Return Oriented Programming
  • Virtualization-Obfuscation


Dive into the research topics of 'A generic approach to automatic deobfuscation of executable code'. Together they form a unique fingerprint.

Cite this