Techniques Implemented in Software Protectors: A Journey with DBI Through What Protectors Use to Detect Bad Guys

Software protectors are products for shielding a binary executable with transformations that obfuscate and compress its original bytes in order to reveal them only during execution. In addition, they implement early-stage evasion techniques that actively look for the presence of someone who is trying to study or break such protections, since analysis environments used to this end introduce typical artifacts in the execution. In this paper we analyze a plethora of evasions used by protectors through dynamic binary instrumentation (DBI), a technique that augments the execution of a program with capabilities of monitoring and altering it up to the instruction-level granularity. As result of the analysis, we survey what artifacts are searched by the most important software protectors present on the market, dividing them according to the type of artifacts they target: environmental, analysis tools, and DBI itself .