Packing is a very popular technique for obfuscating programs, and malware in particular. In order to successfully detect packed malware, dynamic unpacking techniques have been proposed in literature. Dynamic unpackers execute and monitor a packed program, and try to guess when the original code of the program is available unprotected in memory. The major drawback of dynamic unpackers is the performance overhead they introduce. To reduce the overhead and make it possible to perform dynamic unpacking at end-hosts, researches have proposed real-time unpackers that operate at a coarser granularity, namely OmniUnpack and Justin. In this paper, we present a simple compile-time packing algorithm that maximizes the cost of unpacking and minimizes the amount of program code that can be automatically recovered by real-time coarse grained unpackers. The evaluation shows that the real-time dynamic unpackers are totally ineffective against this algorithm.
Thwarting real-time dynamic unpacking / L. Bilge, A. Lanzi, D. Balzarotti - In: EUROSEC '11New York : Association for computer machinery, 2011 Apr. - ISBN 9781450306133. - pp. 1-6 (( Intervento presentato al 4. convegno European Workshop on System Security tenutosi a Salzburg nel 2011 [10.1145/1972551.1972556].
Thwarting real-time dynamic unpacking
A. LanziSecondo
;
2011
Abstract
Packing is a very popular technique for obfuscating programs, and malware in particular. In order to successfully detect packed malware, dynamic unpacking techniques have been proposed in literature. Dynamic unpackers execute and monitor a packed program, and try to guess when the original code of the program is available unprotected in memory. The major drawback of dynamic unpackers is the performance overhead they introduce. To reduce the overhead and make it possible to perform dynamic unpacking at end-hosts, researches have proposed real-time unpackers that operate at a coarser granularity, namely OmniUnpack and Justin. In this paper, we present a simple compile-time packing algorithm that maximizes the cost of unpacking and minimizes the amount of program code that can be automatically recovered by real-time coarse grained unpackers. The evaluation shows that the real-time dynamic unpackers are totally ineffective against this algorithm.
| File | Dimensione | Formato | |
|---|---|---|---|
|
unpacking-eurosec11.pdf
accesso riservato
Tipologia:
Publisher's version/PDF
Dimensione
80.73 kB
Formato
Adobe PDF
|
80.73 kB | Adobe PDF | Visualizza/Apri Richiedi una copia |
Pubblicazioni consigliate
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
