VCF: Virtual Code Folding to Enhance Virtualization Obfuscation

Abstract

Code virtualization, also called virtualization obfuscation, is a code obfuscation technique that protects software from malicious analysis. Unlike code packing or code encryption techniques, code virtualization does not restore the original code on the memory. However, because basic components of the structure are simple, if a virtualization structure is revealed statically, there is a limitation in that the analysis process is somewhat constant. In this paper, we propose Virtual Code Folding (VCF) as a new code virtualization technique. The proposed method reduces the amount of virtual code that is statically revealed by folding the virtual code inside a virtualization structure and enables the virtual code to be decoded by generating multiple diversified dispatchers. The folded virtual code is restored by the random key, and then fetched and decoded by the diversified dispatcher. This process makes it possible for VCF to effectively obfuscate correspondence between virtual code and handler code (i.e., code that performs real functionality) without significant performance overhead or strong assumptions.