De-obfuscating Malware is One of the most important features of modern malware is obfuscation.
De-obfuscating Malware is the process of changing something so as to hide its main purpose.
In the case of De-obfuscating Malware, De-obfuscating Malware is used to make the automated analysis of its nearly impossible and to frustrate manual analysis to the maximum extent possible.
There are two basic ways to deal with obfuscation. The first way is to simply ignore it, in which case your only real option for understanding the nature of a piece of De-obfuscating malware is to observe its behavior in a carefully instrumented environment, as detailed in the previous chapter.
The second way to deal with it is to take steps to remove it and reveal the original “de-obfuscated” program, which can then be analyzed using traditional tools such as disassemblers and debuggers.
Of course, malware authors understand that analysts will attempt to break through any obfuscation, and as a result, they design it with features designed to make de-obfuscation difficult.
can never be made truly impossible since it must ultimately run on its target CPU;
it will always be possible to observe the sequence of instructions that execute using some combination of hardware and software tools.
In all likelihood, the author’s goal is simply to make analysis sufficiently difficult that a window of opportunity is opened for the malware in which it can operate without detection.
