Run-time packing is a technique employed by malware authors in order to conceal (e.g., encrypt) malicious code and recover it at run-time. In particular, some run-time packers only decrypt individual regions of code on demand, re-encrypting them again when they are not running. This technique is known as shifting decode frames and it can greatly complicate malware analysis. The first solution that comes to mind to analyze these samples is to apply multi-path exploration to trigger the unpacking of all the code regions. Unfortunately, multi-path exploration is known to have several limitations, such as its limited scalability for the analysis of real-world binaries. In this paper, we propose a set of domain-specific optimizations and heuristics to guide multi-path exploration and improve its efficiency and reliability for unpacking binaries protected with shifting decode frames.
RAMBO: Run-time packer analysis with multiple branch observation
DIMVA 2016, 13th Conference on Detection of Intrusions and Malware & Vulnerability Assessment, July 7-8, 2016, San Sebastian, Spain / Also published in LNCS, Vol. 9721/2016
Type:
Conférence
City:
San Sebastian
Date:
2016-07-07
Department:
Sécurité numérique
Eurecom Ref:
4894
Copyright:
© Springer. Personal use of this material is permitted. The definitive version of this paper was published in DIMVA 2016, 13th Conference on Detection of Intrusions and Malware & Vulnerability Assessment, July 7-8, 2016, San Sebastian, Spain / Also published in LNCS, Vol. 9721/2016 and is available at : http://dx.doi.org/10.1007/978-3-319-40667-1_10
See also:
PERMALINK : https://www.eurecom.fr/publication/4894
