Secure and advanced unpacking using computer emulation
作者: Sébastien Josse
DOI: 10.1007/S11416-007-0046-0
关键词:
摘要: The purpose of this article is firstly to present a secure unpacker which specifically designed for security analyst when studying viruses but also any anti-virus scanner. Such tool in fact required assessing requirements an scanner through black box approach. During testing software, needs build virus populations several penetration tests. Virus unpacking first mandatory step before gaining the ability apply obfuscation transformation or information extraction algorithm on viral set. A useful checking robustness against reverse engineering packed protected product. Several static and dynamic analysis tools already implement algorithms, these often require human intervention are not well automatically unpack such dangerous program as virus. new encrypted presented paper. Forensics techniques reconstruct unpacked executable advanced heuristics order decrypt more sophisticated self-protected Malwares. We detection deceive virtual machine monitors discuss our low-level attacks. Our figures among set tools. then paper proof-of-concept framework implements most standard components (real-time scanner, emulator engine) addition proposes reliable system about its interaction with OS executive (stealth native API hooking), focuses decision process without same resource limitation constraint product oriented scanners. This used basis/reference comparative aspects scanners deals their driver stack efficiency de-obfuscation algorithms.
springer.com
sci-hub.se 参考文章(17)
G. Portokalidis, H.J. Bos, J.M. Slowinska, Argos: an Emulator for Fingerprinting Zero-Day Attacks ,(2006)
David A. Solomon, Mark E. Russinovich, Microsoft Windows Internals, Fourth Edition: Microsoft Windows Server(TM) 2003, Windows XP, and Windows 2000 (Pro-Developer) Microsoft Press. ,(2004)
Jens Tröger, Specification-driven dynamic binary translation Queensland University of Technology. ,(2005)
Greg Hoglund, Jamie Butler, Rootkits: Subverting the Windows Kernel ,(2005)
Ulrich Bayer, Christopher Kruegel, Engin Kirda, TTAnalyze: A Tool for Analyzing Malware Proceedings of the European Institute for Computer Antivirus Research Annual Conference,2006. ,(2006)
David A. Solomon, Mark Russinovich, Inside Microsoft Windows 2000 ,(2000)
Fabrice Bellard, QEMU, a fast and portable dynamic translator usenix annual technical conference. pp. 41- 41 ,(2005)
Fred Cohen, Computer viruses Computers & Security. ,vol. 6, pp. 22- 35 ,(1987) , 10.1016/0167-4048(87)90122-2
John S. Robin, Cynthia E. Irvine, Analysis of the Intel Pentium's ability to support a secure virtual machine monitor usenix security symposium. pp. 10- 10 ,(2000) , 10.21236/ADA423654
Andreas Schuster, Searching for processes and threads in Microsoft Windows memory dumps Digital Investigation. ,vol. 3, pp. 10- 16 ,(2006) , 10.1016/J.DIIN.2006.06.010