Sciweavers

ACSAC
2006
IEEE

PolyUnpack: Automating the Hidden-Code Extraction of Unpack-Executing Malware

14 years 6 months ago
PolyUnpack: Automating the Hidden-Code Extraction of Unpack-Executing Malware
Modern malware often hide the malicious portion of their program code by making it appear as data at compiletime and transforming it back into executable code at runtime. This obfuscation technique poses obstacles to researchers who want to understand the malicious behavior of new or unknown malware and to practitioners who want to create models of detection and methods of recovery. In this paper we propose a technique for automating the process of extracting the hidden-code bodies of this class of malware. Our approach is based on the observation that sequences of packed or hidden code in a malware instance can be made self-identifying when its runtime execution is checked against its static code model. In deriving our technique, we formally define the unpack-executing behavior that such malware exhibits and devise an algorithm for identifying and extracting its hidden-code. We also provide details of the implementation and evaluation of our extraction technique; the results from ou...
Paul Royal, Mitch Halpin, David Dagon, Robert Edmo
Added 10 Jun 2010
Updated 10 Jun 2010
Type Conference
Year 2006
Where ACSAC
Authors Paul Royal, Mitch Halpin, David Dagon, Robert Edmonds, Wenke Lee
Comments (0)