Thwarting real-time dynamic unpacking
EUROSEC 2011, 4th ACM European Workshop on System Security, April 10th, 2011, Salzburg, Austria
Packing is a very popular technique for obfuscating programs, and malware in particular. In order to successfully detect packed malware, dynamic unpacking techniques have been proposed in literature. Dynamic unpackers execute and monitor a packed program, and try to guess when the original code of the program is available unprotected in memory. The major drawback of dynamic unpackers is the performance overhead they introduce. To reduce the overhead and make it possible to perform dynamic unpacking at end-hosts, researches have proposed real-time unpackers that operate at a coarser granularity, namely OmniUnpack and Justin. In this paper, we present a simple compile-time packing algorithm that maximizes the cost of unpacking and minimizes the amount of program code that can be automatically recovered by real-time coarse grained unpackers. The evaluation shows that the real-time dynamic unpackers are totally ineffective against this algorithm.
| Type: | Conference |
| Language: | English |
| City: | Salzburg |
| Country: | AUSTRIA |
| Date: | April 2011 |
| Department: | Networking and Security |
| Eurecom ref: | 3379 |
| Copyright: | © ACM, 2011. This is the author's version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution. The definitive version was published in EUROSEC 2011, 4th ACM European Workshop on System Security, April 10th, 2011, Salzburg, Austria http://dx.doi.org/10.1145/1972551.1972556 |
| Bibtex: | @inproceedings{EURECOM+3379, doi = {http://dx.doi.org/10.1145/1972551.1972556 }, year = {2011}, title = {{T}hwarting real-time dynamic unpacking}, author = {{B}ilge, {L}eyla and {L}anzi, {A}ndrea and {B}alzarotti, {D}avide}, booktitle = {{EUROSEC} 2011, 4th {ACM} {E}uropean {W}orkshop on {S}ystem {S}ecurity, {A}pril 10th, 2011, {S}alzburg, {A}ustria}, address = {{S}alzburg, {AUSTRIA}}, month = {04}, url = {http://www.eurecom.fr/publication/3379} } |
| See also: |
|
Permalink: http://www.eurecom.fr/publication/3379
