skip to main content
10.1145/1972551.1972556acmconferencesArticle/Chapter ViewAbstractPublication PageseurosysConference Proceedingsconference-collections
research-article

Thwarting real-time dynamic unpacking

Published: 10 April 2011 Publication History

Abstract

Packing is a very popular technique for obfuscating programs, and malware in particular. In order to successfully detect packed malware, dynamic unpacking techniques have been proposed in literature. Dynamic unpackers execute and monitor a packed program, and try to guess when the original code of the program is available unprotected in memory. The major drawback of dynamic unpackers is the performance overhead they introduce. To reduce the overhead and make it possible to perform dynamic unpacking at end-hosts, researches have proposed real-time unpackers that operate at a coarser granularity, namely OmniUnpack and Justin. In this paper, we present a simple compile-time packing algorithm that maximizes the cost of unpacking and minimizes the amount of program code that can be automatically recovered by real-time coarse grained unpackers. The evaluation shows that the real-time dynamic unpackers are totally ineffective against this algorithm.

References

[1]
G. Balakrishnan, T. Reps, D. Melski, and T. Teitelbaum. WYSINWYX: What You See Is Not What You eXecute. In Working Conference on Verified Software: Theories, Tools, Experiments, Zurich, Switzerland, Oct. 2005.
[2]
Bitsum Technologies. PECompact. http://www.bitsum.com/pecompact.php, 2009.
[3]
D. Brumley, C. Hartwig, Z. Liang, J. Newsome, D. Song, and H. Yin. Towards Automatically Identifying Trigger-based Behavior in Malware using Symbolic Execution and Binary Analysis. Technical Report CMU-CS-07-105, Carnegie Mellon University, 2007.
[4]
Danilo Bzdok. Yoda's Crypter. http://yodap.sourceforge.net, 2010.
[5]
P. J. Denning. Thrashing: Its Causes and Prevention. In Fall Joint Computer Conference, 1968.
[6]
Dwing. UPack. http://dwing.cjb.net, 2010.
[7]
Fast Small Good (FSG). http://www.woodmann.com/collaborative/tools/index.php/FSG, 2009.
[8]
F. Guo, P. Ferrie, and T. cker Chiueh. A Study of the Packer Problem and Its Solutions. In Proceedings of the Recent Advances in Intrusion Detection Symposium, 2008.
[9]
M. G. Kang, P. Poosankam, and H. Yin. Renovo: A Hidden Code Extractor for Packed Executables. In Proceedings of the 5th ACM Workshop on Recurring Malcode, 2007.
[10]
C. Lattner and V. Adve. LLVM: A Compilation Framework for Lifelong Program Analysis & Transformation. In Proceedings of the International Symposium on Code Generation and Optimization, Mar. 2004.
[11]
C. Linn, S. Debraydepartment, and C. Science. Obfuscation of Executable Code to Improve Resistance to Static Disassembly. In Proceedings of the ACM Conference on Computer and Communications Security. ACM Press, 2003.
[12]
C. Luk, R. Cohn, R. Muth, H. Patil, A. Klauser, G. Lowney, S. Wallace, V. Janapa, and R. K. Hazelwood. Pin: Building customized program analysis tools with dynamic instrumentation. In Proceeding of ACM Conference on Programming Language Design and Implementation. ACM Press, 2005.
[13]
L. Martignoni, M. Christodorescu, and S. Jha. Omniunpack: Fast, generic, and safe unpacking of malware. In Proceedings of the Annual Computer Security Applications Conference, 2007.
[14]
A. Moser, C. Kruegel, and E. Kirda. Exploring Multiple Execution Paths for Malware Analysis. In Proceedings of the 2007 IEEE Symposium on Security and Privacy. IEEE Computer Society Press, May 2007.
[15]
North Star Software. NsPack. http://www.nsdsn.com/eng/index.htm, 2009.
[16]
Nullsoft Inc. NSIS. http://nsis.sourceforge.net, 2009.
[17]
M. Oberhumer. UPX, 2010.
[18]
Panda Security. http://www.pandasecurity.com/homeusers/media/press-releases/viewnews?noticia=8612, 2007.
[19]
S. Realms. SoftwarePassport: Armadillo. http://www.siliconrealms.com/software-passport-armadillo.html, 2010.
[20]
P. Royal, M. Halpin, D. Dagon, R. Edmonds, and W. Lee. PolyUnpack: Automating the Hidden-Code Extraction of Unpack-Executing Malware. In Proceedings of the Annual Computer Security Applications Conference, 2006.
[21]
M. Sharif, A. Lanzi, J. Giffin, and W. Lee. Automatic Reverse Engineering of Malware Emulators. In Proceedings of The 2009 IEEE Symposium on Security and Privacy, 2009.
[22]
M. Sharif, A. Lanzi, J. Giffin, and W. Lee. Impeding Malware Analysis Using Conditional Code Obfuscation. In Proceedings of the 15th Annual Network and Distributed System Security Symposium, 2008.
[23]
StarForce. ASPack. http://www.aspack.com/, 2009.
[24]
O. Technology. Themida: Advanced Windows Software Protection System. http://www.oreans.com/, 2008.
[25]
The EGOiSTE/TMG. tElock. http://programmerstools.org/node/164, 2009.

Cited By

View all
  • (2023)Xunpack: Cross-Architecture Unpacking for Linux IoT MalwareProceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3607199.3607214(471-484)Online publication date: 16-Oct-2023
  • (2021)Glyph: Efficient ML-Based Detection of Heap Spraying AttacksIEEE Transactions on Information Forensics and Security10.1109/TIFS.2020.301792516(740-755)Online publication date: 2021
  • (2020)YARAMON: A Memory-based Detection Framework for Ransomware Families2020 15th International Conference for Internet Technology and Secured Transactions (ICITST)10.23919/ICITST51030.2020.9351319(1-6)Online publication date: 8-Dec-2020
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
EUROSEC '11: Proceedings of the Fourth European Workshop on System Security
April 2011
53 pages
ISBN:9781450306133
DOI:10.1145/1972551
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 10 April 2011

Permissions

Request permissions for this article.

Check for updates

Qualifiers

  • Research-article

Funding Sources

Conference

EuroSys '11
Sponsor:
EuroSys '11: Sixth EuroSys Conference 2011
April 10, 2011
Salzburg, Austria

Acceptance Rates

Overall Acceptance Rate 47 of 113 submissions, 42%

Upcoming Conference

EuroSys '25
Twentieth European Conference on Computer Systems
March 30 - April 3, 2025
Rotterdam , Netherlands

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)2
  • Downloads (Last 6 weeks)1
Reflects downloads up to 19 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2023)Xunpack: Cross-Architecture Unpacking for Linux IoT MalwareProceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3607199.3607214(471-484)Online publication date: 16-Oct-2023
  • (2021)Glyph: Efficient ML-Based Detection of Heap Spraying AttacksIEEE Transactions on Information Forensics and Security10.1109/TIFS.2020.301792516(740-755)Online publication date: 2021
  • (2020)YARAMON: A Memory-based Detection Framework for Ransomware Families2020 15th International Conference for Internet Technology and Secured Transactions (ICITST)10.23919/ICITST51030.2020.9351319(1-6)Online publication date: 8-Dec-2020
  • (2018)Towards Paving the Way for Large-Scale Windows Malware AnalysisProceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security10.1145/3243734.3243771(395-411)Online publication date: 15-Oct-2018
  • (2017)Thwarting Android app repackaging by executable code fragmentationInternational Journal of High Performance Computing and Networking10.5555/3141079.314108710:4-5(320-331)Online publication date: 1-Jan-2017
  • (2016)RAMBOProceedings of the 13th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment - Volume 972110.1007/978-3-319-40667-1_10(186-206)Online publication date: 7-Jul-2016
  • (2015)SoKProceedings of the 2015 IEEE Symposium on Security and Privacy10.1109/SP.2015.46(659-673)Online publication date: 17-May-2015
  • (2015)AppSpearProceedings of the 18th International Symposium on Research in Attacks, Intrusions, and Defenses - Volume 940410.1007/978-3-319-26362-5_17(359-381)Online publication date: 2-Nov-2015

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media