Modern malware protection systems bring an especially difficult problem to antivirus scanners. Simple obfuscationmethodscandiminishtheeffectivenessofascanner significantly, oftentimes renderingthemcompletelyineffective. This paper outlines the usage of a hypervisor based deobfuscation engine that greatly improves the effectiveness of existing scanning engines. We have modified the Ether malware analysis framework to add the following features to deobfuscation: section and header rebuilding and automated kernel virtual address descriptor import rebuilding. Using these repair mechanisms we have shown as high as 45% improvement in the effectiveness of antivirus scanning engines.
Daniel Quist, Lorie M. Liebrock, Joshua Neil