Emulating Emulation-Resistant Malware

The authors of malware attempt to frustrate reverse engineering and analysis by creating programs that crash or otherwise behave differently when executed on an emulated platform than when executed on real hardware. In order to defeat such techniques and facilitate automatic and semi-automatic dynamic analysis of malware, the paper proposes an automated technique to dynamically modify the execution of a whole-system emulator to fool a malware sample's anti-emulation checks. The approach uses a scalable trace matching algorithm to locate the point where emulated execution diverges, and then compares the states of the reference system and the emulator to create a dynamic state modification that repairs the difference. The paper evaluates the technique by building an implementation into an emulator used for in-depth malware analysis.