Don't flatten yourself restoring malware with Control Flow Flattening obfuscation - Geri Revay

Presented at the VB2023 conference in London, 4 - 6 October 2023. ↓ Slides: https://www.virusbulletin.com/uploads/pdf/conference/vb2023/slides/Slides-Dont-flatten-yourself-restoring-malware-with-Control-Flow-Flattening-obfuscation.pdf ↓ Paper: https://www.virusbulletin.com/uploads/pdf/conference/vb2023/papers/Dont-flatten-yourself-restoring-malware-with-Control-Flow-Flattening-obfuscation.pdf → Details: https://www.virusbulletin.com/conference/vb2023/abstracts/dont-flatten-yourself-deobfuscating-malware-control-flow-flattening/ ✪ PRESENTED BY ✪ • Geri Revay (Fortinet) ✪ ABSTRACT ✪ Control-Flow Flattening (CFF) is an obfuscation/anti-analysis technique used by malware authors. Its goal is to alter the control flow of a function to hinder reverse engineering. Using CFF makes static analysis complex and increases the time investment for the analyst significantly. Malware authors have already discovered this, and a steady increase can be seen in the number of malware samples that use CFF. Soon, every analyst will have to face it daily, which calls for know-how and tooling. This presentation intends to provide the necessary know-how and tooling. First, we will discuss the general approach to fighting CFF. We will discuss identifying CFF and which components are essential to restore the control flow. Then we will implement this approach using emulation in an IDAPython script and use it against a ransomware sample. Finally, we will lay down the process analysts should follow in their next encounter with a binary using CFF.