2 min read Malware_Analysis

Anti-Disassembly

What is Anti-Disassembly?

  • Anti-disassembly technique uses specially crafted code or data in a program to cause disassembly analysis tools to produce an incorrect program listing.
  • Malware authors use anti-disassembly techniques to delay or prevent analysis of malicious code
  • This technique is also used for preventing automated analysis techniques, malware detection algorithms and antivirus heuristic engines which employs disassembly analysis to identify or classify malware.
  • Anti-disassembly techniques work by taking advantage of assumptions and limitations of disassemblers.

Disassembly Alogirthms

  • There are two types of disassembler algorithms: linear and flow oriented

Linear Disassembly:

  • The linear-disassembly strategy iterates over a block of code, disassembling one instruction at a time linearly, without deviating.
  • The main drawback of this method is that it will disassemble to much code. The algorithm will keep "blindly" disassembling until the end of the buffer, even if flow-control instructions will cause only a small portion of the buffer to execute.
  • Linear-disassembly algorithms are easiest to defeat because they are unable to distinguish between code and data (Doesn't check for logic flow of code)

Flow-Oriented Disassembly:

  • It is advanced category of disassembly algorithm and used by most commercial tools such as IDA Pro.
  • The key difference between flow-oriented and linear disassembly is that the disassembler doesn't blindly iterate over a buffer, assuming the data is nothing but instructions packed neatly together. Instead, it examines each instruction and builds a list of locations to disassemble.
  • In linear disassembly, the disassembler has no choice to make about which instructions to disassemble at a given time. Flow-oriented disassemblers make choices and assumptions.

Anti-Disassembly Techniques

  • The primary way that malware can force a disassembler to produce inaccurate disassembly is by taking advantage of the disassembler's choices and assumptions. Following are some of the techniques which is used by malware author:

Jump Instructions with the Same Target:

  • The most common anti-disassembly technique seen in the wild is two back-to-back conditional jump instructions that both point to the same target.
  • For example, if a jz loc_512, the location loc_512 will always be jumped to. The combination of jz with jnz is, in effect, an unconditional jmp, but the disassembler doesn't recognize it as such because it only disassembles one instruction at a time.
  • When the disassembler encounters the jnz, it continues disassembling the false branch of this instruction, despite the fact that it will never be executed in practice.

A Jump Instruction with a Constant Condition:

  • Another anti-disassembly technique commonly found in the wild is composed of a single conditional jump instruction placed where the condition will always be the same.
  • For example, adding condition jump (jz) after XOR operation will trick the disassembler, as XOR already clears the register and sets zero flag. But still disassembler follows false branch first and trusts that branch more.

Impossible Disassembly

  • Under some conditions, no traditional assembly listing will accurately represent the instructions that are executed. Such conditions are called as impossible disassembly.
  • This technique deals with instructions where the data byte placed stratigically after a conditional jump also called as "rogue byte" may actually be a part of legitimate instruction.
  • No disassembler currently have the capability to solve such disassembly problems.
  • To solve such problems malware analyst have to replace the entire sequence with NOP instructions using IDC or IDAPython script that calls the Patchbyte function.