Packing is a very popular technique for obfuscating programs, and malware in particular. In order to successfully detect packed malware, dynamic unpacking techniques have been proposed in literature. Dynamic unpackers execute and monitor a packed program, and try to guess when the original code of the program is available unprotected in memory. The major drawback of dynamic unpackers is the performance overhead they introduce. To reduce the overhead and make it possible to perform dynamic unpacking at end-hosts, researches have proposed real-time unpackers that operate at a coarser granularity, namely OmniUnpack and Justin. In this paper, we present a simple compile-time packing algorithm that maximizes the cost of unpacking and minimizes the amount of program code that can be automatically recovered by real-time coarse grained unpackers. The evaluation shows that the real-time dynamic unpackers are totally ineffective against this algorithm.
Thwarting real-time dynamic unpacking
EUROSEC 2011, 4th ACM European Workshop on System Security, April 10th, 2011, Salzburg, Austria
Type:
Conference
City:
Salzburg
Date:
2011-04-10
Department:
Digital Security
Eurecom Ref:
3379
Copyright:
© ACM, 2011. This is the author's version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution. The definitive version was published in EUROSEC 2011, 4th ACM European Workshop on System Security, April 10th, 2011, Salzburg, Austria http://dx.doi.org/10.1145/1972551.1972556
See also:
PERMALINK : https://www.eurecom.fr/publication/3379
