Generic Unpacking Method Based on Detecting Original Entry Point
作者: Ryoichi Isawa , Masaki Kamizono , Daisuke Inoue
DOI: 10.1007/978-3-642-42054-2_74
关键词:
摘要: In this paper, we focus on the problem of unpacking packed executables in a generic way. That is, do not assume specific knowledge about algorithms used to produce executable (i.e. extract/create reverse algorithm). general, when launched, will first reconstruct code original program, write it down someplace memory and then transfer execution that by assigning Extended Instruction Pointer (EIP) so-called Original Entry Point (OEP) program. Accordingly, if had way accurately identify event flow thus OEP, could more easily extract for analysis (cf. inspecting remaining after OEP was reached). We propose an effective method based combination two novel detection techniques, one relying incremental measurement entropy information stored space assigned process, other searching counting potential Windows API calls same space.
springer.com
sci-hub.st 参考文章(9)
Fanglu Guo, Peter Ferrie, Tzi-cker Chiueh, A Study of the Packer Problem and Its Solutions recent advances in intrusion detection. pp. 98- 115 ,(2008) , 10.1007/978-3-540-87403-4_6
Hyung Chan KIM, Tatsunori ORII, Katsunari YOSHIOKA, Daisuke INOUE, Jungsuk SONG, Masashi ETO, Junji SHIKATA, Tsutomu MATSUMOTO, Koji NAKAO, An Empirical Evaluation of an Unpacking Method Implemented with Dynamic Binary Instrumentation IEICE Transactions on Information and Systems. ,vol. 94, pp. 1778- 1791 ,(2011) , 10.1587/TRANSINF.E94.D.1778
Yuhei Kawakoya, Makoto Iwamura, Mitsutaka Itoh, Memory behavior-based automatic malware unpacking in stealth debugging environment international conference on malicious and unwanted software. pp. 39- 46 ,(2010) , 10.1109/MALWARE.2010.5665794
Claudio Carpineto, Giovanni Romano, A Survey of Automatic Query Expansion in Information Retrieval ACM Computing Surveys. ,vol. 44, pp. 1- 50 ,(2012) , 10.1145/2071389.2071390
Manuel Egele, Theodoor Scholte, Engin Kirda, Christopher Kruegel, A survey on automated dynamic malware-analysis techniques and tools ACM Computing Surveys. ,vol. 44, pp. 6- ,(2008) , 10.1145/2089125.2089126
Lorenzo Martignoni, Mihai Christodorescu, Somesh Jha, OmniUnpack: Fast, Generic, and Safe Unpacking of Malware annual computer security applications conference. pp. 431- 441 ,(2007) , 10.1109/ACSAC.2007.15
Paul Royal, Mitch Halpin, David Dagon, Robert Edmonds, Wenke Lee, PolyUnpack: Automating the Hidden-Code Extraction of Unpack-Executing Malware annual computer security applications conference. pp. 289- 300 ,(2006) , 10.1109/ACSAC.2006.38
Robert Lyda, James Hamrock, Using Entropy Analysis to Find Encrypted and Packed Malware ieee symposium on security and privacy. ,vol. 5, pp. 40- 45 ,(2007) , 10.1109/MSP.2007.48
Min Gyung Kang, Pongsin Poosankam, Heng Yin, Renovo Proceedings of the 2007 ACM workshop on Recurring malcode - WORM '07. pp. 46- 53 ,(2007) , 10.1145/1314389.1314399