Contradef: Uma Ferramenta de Instrumentação Binária Dinâmica para Análise de Malware Evasivo

Henrique B. Campelo; Francisco S. S. Neto; Eduardo L. Feitosa

doi:10.5753/sbseg_estendido.2025.10498

Henrique B. Campelo UFAM
Francisco S. S. Neto UFAM
Eduardo L. Feitosa UFAM

DOI: https://doi.org/10.5753/sbseg_estendido.2025.10498

Abstract

Contradef is a DBI tool built on Intel Pin. It is designed for analyzing evasive software through tracing techniques. The tool records instruction flows, memory accesses, API calls, and internal states to log files, enabling postexecution analysis. Contradef enables execution, inspection, and even manipulation of software protected by advanced packers like VMProtect, revealing obfuscation and evasion techniques that typically bypass static analysis methods.

References

Coccia, G., Polino, M., Carminati, M., and Zanero, S. (2021-2022). A study of evasive behaviors in commercial packers. Master’s thesis, Politecnico di Milano.

Intel (2024). Pin 3.31 user guide. [link]. Acessado em: 21-07-2024.

Peterson, N. and Khoury, A. (2023). Evading acpi checks in commercial virtualization platforms. [link].

Polino, M., Martignoni, L., and Lanzi, A. (2017). Droidtrace: A dynamic analysis tool for android malware detection. In Proceedings of the 2017 IEEE Symposium on Security and Privacy Workshops (SPW), pages 179–185. IEEE.

Rodríguez, P. A., Santos, I., Bringas, P. G., Sanz, B., and Alvarez, G. (2016). Pintracer: A dbi-based framework for tracing malware behavior. In Proceedings of the 11th International Conference on Malicious and Unwanted Software (MALWARE), pages 107–114. IEEE.

Zhang, Q., Chen, Y., Wang, Y., Wang, S., Fan, Y., and Zeng, Q. (2023). Hermes: A dynamic binary instrumentation framework for the arm platform. ACM Transactions on Architecture and Code Optimization (TACO), 20(1):1–25.

Contradef: A Dynamic Binary Instrumentation Tool for Evasive Malware Analysis

Abstract

References

Most read articles by the same author(s)