Software Analysis and De-obfuscation Engine

Abstract

SADE (Software Analysis and De-obfuscation Engine) is a software analysis toolkit that generically (without finding out the specifics of the compression and encryption scheme used) detects and unpacks a packed (encrypted and compressed) windows executable file (PE32 file) and makes the unpacked code available for analysis. SADE also shows additional information about the executable file (resources, imports, sections etc). The motivation behind the project is that the problem to generically unpack malicious executables has been solved to some extent commercially but the competitive nature of the anti-virus software industry refrain them from publishing a solution. There is hence a lack of publicly available generic unpacking tools that can handle a wide range and variety of packed executable files without knowing the exact packer used to pack it. Furthermore, the growing epidemic of malware has strengthened the need to have more freely available tools to help in analyzing packed executable files. The chief users of the application are security analysts and main area of application is malware analysis. Malware authors use packing techniques to hide their malicious code and security analysts need to uncover the hidden executable code for creating signatures and understanding attacks.

SADE (Software Analysis and De-obfuscation Engine) is a software analysis toolkit that generically (without finding out the specifics of the compression and encryption scheme used) detects and unpacks a packed (encrypted and compressed) windows executable file (PE32 file) and makes the unpacked code available for analysis. SADE also shows additional information about the executable file (resources, imports, sections etc). The motivation behind the project is that the problem to generically unpack malicious executables has been solved to some extent commercially but the competitive nature of the anti-virus software industry refrain them from publishing a solution. There is hence a lack of publicly available generic unpacking tools that can handle a wide range and variety of packed executable files without knowing the exact packer used to pack it. Furthermore, the growing epidemic of malware has strengthened the need to have more freely available tools to help in analyzing packed executable files. The chief users of the application are security analysts and main area of application is malware analysis. Malware authors use packing techniques to hide their malicious code and security analysts need to uncover the hidden executable code for creating signatures and understanding attacks.