Titolo della tesi: Engaging with Malware: Coverage-guided Fuzzing and Dynamic Introspection to Analyze Environment Sensitive and Obfuscated Windows Malware
This thesis develops automated techniques to analyze Windows malware that deploys anti-analysis defenses and exhibits environment-sensitive, multi-path behavior. We contribute two complementary systems that turn adversarial logic into a source of insight rather than a barrier to observation. First, we introduce PFuzzer, a novel coverage-guided fuzzing framework that explores multiple execution paths in environment-sensitive malware. PFuzzer treats environmental conditions as fuzzable inputs, automatically mutating system responses to provoke hidden behaviors. Evaluated on a curated corpus of 1,078 Windows malware samples, PFuzzer uncovers additional conspicuous behaviors for 42.39% of the dataset and clearly outperforms state-of-the-art systems such as BluePill and Enviral in head-to head comparisons. Second, we present an automated deobfuscation pipeline for API hashing, which hides dependencies by replacing plaintext API names with digests during lookup. Our slice-guided analysis locates comparison sites and value-update instructions to expose the hashing logic and recover hash to API mappings. We then repurpose each specimen as a hash oracle: by injecting chosen strings and emulating only the relevant slice, we compute ground-truth digests with the malware’s own code—eliminating manual re-implementation and brittleness to routine variants. The approach yields scalable, automated mapping of digest values to API names and supports characterization of hashing schemes in the wild.
Together, these contributions demonstrate how adversarial logic—once designed to conceal malware behavior—can be exploited to drive deeper understanding. The thesis advances automated malware analysis by transforming evasion and obfuscation mechanisms into analyzable signals, enabling more complete and scalable behavioral reconstruction.