Abstract
As reverse engineering becomes a prevalent technique to analyze malware, malware writers leverage various anti-reverse engineering techniques to hide their code. One technique commonly used is code packing as packed executables hinder code analysis. While this problem has been previously researched, the existing solutions are either unable to handle novel samples, or vulnerable to various evasion techniques. In this chapter, we propose a fully dynamic approach that captures an intrinsic nature of hidden code execution that the original code should be present in memory and executed at some point at run-time. Thus, this approach monitors program execution and memory writes at run-time, determines if the code under execution is newly generated, and then extracts the hidden code of the executable. To demonstrate its effectiveness, we implement a system, Renovo, and evaluate it with a large number of real-world malware samples. The experiments show that Renovo is accurate compared to previous work, yet practical in terms of performance.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
OllyBonE. http://www.joestewart.org/ollybone/
OllyDbg. http://www.ollydbg.de/
ASPack Software: ASPack and ASProtect. http://www.aspack.com/
Bhatkar, S., DuVarney, D.C., Sekar, R.: Address obfuscation: An efficient approach to combat a broad range of memory error exploits. In: Proceedings of the 12th USENIX Security Symposium (2003)
Bitsum Technologies: PECompact2. http://www.bitsum.com/pec2.asp
Brosch, T., Morgenstern, M.: Runtime packers: The hidden problem? https://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Morgenstern.pdf (2006)
Christodorescu, M., Kinder, J., Jha, S., Katzenbeisser, S., Veith, H.: Malware normalization. Tech. Rep. 1539, University of Wisconsin, Madison, Wisconsin, USA (2005)
Data Rescue: Universal PE Unpacker plug-in. http://www.datarescue.com/idabase/unpack_pe
Graf, T.: Generic unpacking: How to handle modified or unknown PE compression engines. http://www.virusbtn.com/pdf/conference_slides/2005/Graf.pdf (2005)
Huang, Y.L., Ho, F.S., Tsai, H.Y., Kao, H.M.: A control flow obfuscation method to discourage malicious tampering of software codes. In: ASIACCS ’06: Proceedings of the 2006 ACM Symposium on Information, computer and communications security, pp. 362–362. ACM Press, New York, NY, USA (2006). DOI http://doi.acm.org/10.1145/1128817.1128878
The IDA Pro Disassembler and Debugger. http://www.datarescue.com/idabase/
Linn, C., Debray, S.: Obfuscation of executable code to improve resistance to static disassembly. In: Proceedings of the 10th ACM Conference on Computer and Communications Security (CCS) (2003)
Project malfease. http://malfease.oarci.net/
McAfee: Advanced virus detection scan engine and DATs. http://www.mcafee.com/us/local_content/white_papers/wp_scan_engine.pdf
Nanda, S., Li, W., Lam, L., Chiueh, T.: BIRD: Binary interpretation using runtime disassembly. In: CGO ’06: Proceedings of the International Symposium on Code Generation and Optimization, pp. 358–370. IEEE Computer Society, Washington, DC, USA (2006). DOI http://dx.doi.org/10.1109/CGO.2006.6
Obsidium Software: Obsidium. http://www.obsidium.de/show.php?home
Royal, P., Halpin, M., Dagon, D., Edmonds, R., Lee, W.: PolyUnpack: Automating the hidden-code extraction of unpack-executing malware. In: ACSAC ’06: Proceedings of the 22nd Annual Computer Security Applications Conference on Annual Computer Security Applications Conference, pp. 289–300. IEEE Computer Society, Washington, DC, USA (2006). DOI http://dx.doi.org/10.1109/ACSAC.2006.38
Silicon Realms Toolworks: Armadillo. http://siliconrealms.com/index.shtml
Teggo: MoleBox Pro. http://www.molebox.com/download.shtml
Themida. http://www.oreans.com/
The Unpacker Archive. http://www.woodmann.com/crackz/Tools/Unpckarc.zip
Yoda Protector. http://sourceforge.net/projects/yodap/
Author information
Authors and Affiliations
Rights and permissions
Copyright information
© 2013 The Author(s)
About this chapter
Cite this chapter
Yin, H., Song, D. (2013). Hidden Code Extraction. In: Automatic Malware Analysis. SpringerBriefs in Computer Science. Springer, New York, NY. https://doi.org/10.1007/978-1-4614-5523-3_3
Download citation
DOI: https://doi.org/10.1007/978-1-4614-5523-3_3
Published:
Publisher Name: Springer, New York, NY
Print ISBN: 978-1-4614-5522-6
Online ISBN: 978-1-4614-5523-3
eBook Packages: Computer ScienceComputer Science (R0)