公开(公告)号：US20250103686A1

公开(公告)日：2025-03-27

申请号：US18578600

申请日：2023-11-23

Applicant: Foundation of Soongsil University-Industry Cooperation

Inventor： Haehyun CHO ,  Jeonghyun YI ,  Minho KIM ,  Gwangyeol LEE

IPC: G06F21/14 ,  G06F21/12

Abstract: A method for a deobfuscation apparatus that deobfuscates a malicious program obfuscated using an obfuscation technique, and the deobfuscation method comprises executing the malicious program to identify and extract memory information containing a trampoline code used in the obfuscation technique, executing the trampoline code based on the memory information to classify a type of obfuscation technique of the malicious program, and deobfuscating the malicious program according to the classified obfuscation technique and generating a deobfuscation program. According to the constitution, the techniques for obfuscating OEP and IAT can be deobfuscated.

公开(公告)号：US20250094578A1

公开(公告)日：2025-03-20

申请号：US18578615

申请日：2023-11-23

Applicant: Foundation of Soongsil University-Industry Cooperation

Inventor： Haehyun CHO ,  Jeonghyun YI ,  Minho KIM ,  Gwangyeol LEE

IPC: G06F21/56

Abstract: A method of detecting malicious behavior in a malicious behavior detection apparatus that detects malicious behavior by analyzing the code of a program, comprises generating a first control flow graph (CFG) by performing dynamic analysis on the program, generating a second CFG by extracting a code block that is likely to be executed by a conditional branch instruction included in the program, and comparing the first CFG and the second CFG to detect hidden code included in the program, and detecting a malicious behavior of the program by determining whether the detected hidden code is a malicious code. According to the constitutions, the time it takes to discover and respond to new types of malicious code can be shorten by extracting hidden code related to the malicious behavior and detecting malicious behavior.