Efficient and Automatic Instrumentation for Packed Binaries

  • Yanjun Wu
  • Tzi-cker Chiueh
  • Chen Zhao
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5576)


Many modern software security techniques require transformation of executable binaries to add security features. Such transformation heavily depends on the correct and effecient disassembly. However, an increasing number of application binaries are packed before being distributed in the commercial world. Packed binaries are a special type of self-modifying code, which existing binary disassembly tools do not support very well, especially when automatic instrumentation is needed. This paper describes the design, implementation and evaluation of an efficient and automatic binary instrumentation tool for packed Win32/X86 binaries called Uncover. Uncover features two novel techniques: statically distinct packed binaries by entropy computation to minimize run-time disassembly overhead, and accurate tracking of binary unpacking process during runtime. These two techniques make it possible to disassemble Win32/X86 packed binaries as if they were never packed.


Packed Binary Performance Overhead Entropy Computation Code Section Test Binary 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    IDAPro. IDA Pro Disassembler,
  2. 2.
    OllyDbg. Oleh Yuschuk,
  3. 3.
    Peid, J., Qwerton, S., Xineohp, P.,
  4. 4.
    Lyda, R., Hamrock, J.: Using Entropy Analysis to Find Encrypted and Packed Malware. IEEE Security and Privacy 5(2), 40–45 (2007)CrossRefGoogle Scholar
  5. 5.
    UPX. The ultimate packer for executables,
  6. 6.
    ASPack. The advanced Win32 executable file compressor,
  7. 7.
    PECompact. PE packer,
  8. 8.
    Bala, V., Duesterwald, E., Banerjia, S.: Dynamo: a transparent dynamic optimization system. ACM SIGPLAN Notices 35(5), 1–12 (2000)CrossRefGoogle Scholar
  9. 9.
    Dyninst. An application program interface (api) for runtime code generation,
  10. 10.
    Luk, C.-K., Cohn, R., Muth, R., Patil, H., Klauser, A., Lowney, G., Wallace, S., Reddi, V.J., Hazelwood, K.: Pin: building customized program analysis tools with dynamic instrumentation. In: PLDI 2005: Proceedings of the 2005 ACM SIGPLAN conference on Programming language design and implementation, pp. 190–200. ACM Press, New York (2005)CrossRefGoogle Scholar
  11. 11.
    Sridhar, S., Shapiro, J.S., Bungale, P.P.: HDTrans: A Low-Overhead Dynamic Translator. In: Proc 2005 Workshop on Binary Instrumentation and Applications (2005)Google Scholar
  12. 12.
    Bellard, F.: QEMU, a Fast and Portable Dynamic Translator. In: Proc of USENIX 2005 Annual Technical Conference, FREENIX Track, pp. 41–46 (2005)Google Scholar
  13. 13.
    Martignoni, L., Christodorescu, M., Jha, S.: OmniUnpack: Fast, Generic, and Safe Unpacking of Malware. In: Proc. of 23 Annual Technical Computer Security Applications Conference (ACSAC 2007), pp. 431–441 (2007)Google Scholar
  14. 14.
    Nanda, S., Li, W., Lam, L.-C., Chiueh, T.: Bird: Binary interpretation using runtime disassembly. In: Conference of Code Generation and Optimization 2006, pp. 358–370 (2006)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Yanjun Wu
    • 1
    • 2
  • Tzi-cker Chiueh
    • 3
  • Chen Zhao
    • 1
    • 2
  1. 1.Institute of SoftwareChinese Academy of SciencesBeijingChina
  2. 2.National Engineering and Research Center for Fundamental SoftwareBeijingChina
  3. 3.Dept. of Computer ScienceSUNY at Stony BrookStony BrookUSA

Personalised recommendations