Skip to main content
SpringerLink
Log in
Book cover

Automatic Malware Analysis pp 17–26Cite as

Hidden Code Extraction

  • Chapter
  • First Online:

Part of the book series: SpringerBriefs in Computer Science ((BRIEFSCOMPUTER))

Abstract

As reverse engineering becomes a prevalent technique to analyze malware, malware writers leverage various anti-reverse engineering techniques to hide their code. One technique commonly used is code packing as packed executables hinder code analysis. While this problem has been previously researched, the existing solutions are either unable to handle novel samples, or vulnerable to various evasion techniques. In this chapter, we propose a fully dynamic approach that captures an intrinsic nature of hidden code execution that the original code should be present in memory and executed at some point at run-time. Thus, this approach monitors program execution and memory writes at run-time, determines if the code under execution is newly generated, and then extracts the hidden code of the executable. To demonstrate its effectiveness, we implement a system, Renovo, and evaluate it with a large number of real-world malware samples. The experiments show that Renovo is accurate compared to previous work, yet practical in terms of performance.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

References

  1. OllyBonE. http://www.joestewart.org/ollybone/

  2. OllyDbg. http://www.ollydbg.de/

  3. ASPack Software: ASPack and ASProtect. http://www.aspack.com/

  4. Bhatkar, S., DuVarney, D.C., Sekar, R.: Address obfuscation: An efficient approach to combat a broad range of memory error exploits. In: Proceedings of the 12th USENIX Security Symposium (2003)

    Google Scholar 

  5. Bitsum Technologies: PECompact2. http://www.bitsum.com/pec2.asp

  6. Brosch, T., Morgenstern, M.: Runtime packers: The hidden problem? https://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Morgenstern.pdf (2006)

  7. Christodorescu, M., Kinder, J., Jha, S., Katzenbeisser, S., Veith, H.: Malware normalization. Tech. Rep. 1539, University of Wisconsin, Madison, Wisconsin, USA (2005)

    Google Scholar 

  8. Data Rescue: Universal PE Unpacker plug-in. http://www.datarescue.com/idabase/unpack_pe

  9. Graf, T.: Generic unpacking: How to handle modified or unknown PE compression engines. http://www.virusbtn.com/pdf/conference_slides/2005/Graf.pdf (2005)

  10. Huang, Y.L., Ho, F.S., Tsai, H.Y., Kao, H.M.: A control flow obfuscation method to discourage malicious tampering of software codes. In: ASIACCS ’06: Proceedings of the 2006 ACM Symposium on Information, computer and communications security, pp. 362–362. ACM Press, New York, NY, USA (2006). DOI http://doi.acm.org/10.1145/1128817.1128878

  11. The IDA Pro Disassembler and Debugger. http://www.datarescue.com/idabase/

  12. Linn, C., Debray, S.: Obfuscation of executable code to improve resistance to static disassembly. In: Proceedings of the 10th ACM Conference on Computer and Communications Security (CCS) (2003)

    Google Scholar 

  13. Project malfease. http://malfease.oarci.net/

  14. McAfee: Advanced virus detection scan engine and DATs. http://www.mcafee.com/us/local_content/white_papers/wp_scan_engine.pdf

  15. Nanda, S., Li, W., Lam, L., Chiueh, T.: BIRD: Binary interpretation using runtime disassembly. In: CGO ’06: Proceedings of the International Symposium on Code Generation and Optimization, pp. 358–370. IEEE Computer Society, Washington, DC, USA (2006). DOI http://dx.doi.org/10.1109/CGO.2006.6

  16. Obsidium Software: Obsidium. http://www.obsidium.de/show.php?home

  17. PEiD. http://www.secretashell.com/codomain/peid/

  18. Royal, P., Halpin, M., Dagon, D., Edmonds, R., Lee, W.: PolyUnpack: Automating the hidden-code extraction of unpack-executing malware. In: ACSAC ’06: Proceedings of the 22nd Annual Computer Security Applications Conference on Annual Computer Security Applications Conference, pp. 289–300. IEEE Computer Society, Washington, DC, USA (2006). DOI http://dx.doi.org/10.1109/ACSAC.2006.38

  19. Silicon Realms Toolworks: Armadillo. http://siliconrealms.com/index.shtml

  20. Teggo: MoleBox Pro. http://www.molebox.com/download.shtml

  21. Themida. http://www.oreans.com/

  22. The Unpacker Archive. http://www.woodmann.com/crackz/Tools/Unpckarc.zip

  23. Yoda Protector. http://sourceforge.net/projects/yodap/

Download references

Author information

Authors and Affiliations

  1. Department of Electrical Engineering and Computer Science, Syracuse University, Syracuse, NY, USA

    Heng Yin

  2. Computer Science Division, University of California, Berkeley, Berkeley, CA, USA

    Dawn Song

Authors
  1. Heng Yin
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Dawn Song
    View author publications

    You can also search for this author in PubMed Google Scholar

Rights and permissions

Reprints and permissions

Copyright information

© 2013 The Author(s)

About this chapter

Cite this chapter

Yin, H., Song, D. (2013). Hidden Code Extraction. In: Automatic Malware Analysis. SpringerBriefs in Computer Science. Springer, New York, NY. https://doi.org/10.1007/978-1-4614-5523-3_3

Download citation

  • DOI: https://doi.org/10.1007/978-1-4614-5523-3_3

  • Published:

  • Publisher Name: Springer, New York, NY

  • Print ISBN: 978-1-4614-5522-6

  • Online ISBN: 978-1-4614-5523-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation