ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
Renovo: a hidden code extractor for packed executables
Full text PdfPdf (187 KB)
Source
Workshop On Rapid Malcode archive
Proceedings of the 2007 ACM workshop on Recurring malcode table of contents
Alexandria, Virginia, USA
SESSION: Analyzing and detecting malware table of contents
Pages: 46 - 53  
Year of Publication: 2007
ISBN:978-1-59593-886-2
Authors
Min Gyung Kang  Carnegie Mellon University, Pittsburgh, PA
Pongsin Poosankam  Carnegie Mellon University, Pittsburgh, PA
Heng Yin  Carnegie Mellon University, Pittsburgh, PA
Sponsors
SIGSAC: ACM Special Interest Group on Security, Audit, and Control
ACM: Association for Computing Machinery
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 7,   Downloads (12 Months): 108,   Citation Count: 2
Additional Information:

abstract   references   cited by   index terms   collaborative colleagues  

Tools and Actions: Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/1314389.1314399
What is a DOI?

ABSTRACT

As reverse engineering becomes a prevalent technique to analyze malware, malware writers leverage various anti-reverse engineering techniques to hide their code. One technique commonly used is code packing as packed executables hinder code analysis. While this problem has been previously researched, the existing solutions are either unable to handle novel samples, or vulnerable to various evasion techniques. In this paper, we propose a fully dynamic approach that captures an intrinsic nature of hidden code execution that the original code should be present in memory and executed at some point at run-time. Thus, this approach monitors program execution and memory writes at run-time, determines if the code under execution is newly generated, and then extracts the hidden code of the executable. To demonstrate its effectiveness, we implement a system, Renovo, and evaluate it with a large number of real-world malware samples. The experiments show that Renovo is accurate compared to previous work, yet practical in terms of performance


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
1
Anubis. http://analysis.seclab.tuwien.ac.at.
 
2
BitBlaze Binary Analysis Platform. http://bitblaze.cs.berkeley.edu/.
 
3
Norman SandBox Information Center. http://www.norman.com.
 
4
OllyBonE. http://www.joestewart.org/ollybone/.
 
5
OllyDbg. http://www.ollydbg.de/.
 
6
PEiD. http://www.secretashell.com/codomain/peid/.
 
7
Red Pill. http://invisiblethings.org/papers/redpill.html.
 
8
TEMU: The BitBlaze Dynamic Analysis Component. http://bitblaze.cs.berkeley.edu/temu.html.
 
9
The Unpacker Archive. http://www.woodmann.com/crackz/Tools/Unpckarc.zip.
 
10
Themida. http://www.oreans.com/.
 
11
Yoda Protector. http://sourceforge.net/projects/yodap/.
 
12
ASPack Software. ASPack and ASProtect. http://www.aspack.com/.
 
13
Sandeep Bhatkar , Daniel C. DuVarney , R. Sekar, Address obfuscation: an efficient approach to combat a board range of memory error exploits, Proceedings of the 12th conference on USENIX Security Symposium, p.8-8, August 04-08, 2003, Washington, DC
 
14
Bitsum Technologies. PECompact2. http://www.bitsum.com/pec2.asp.
 
15
T. Brosch and M. Morgenstern. Runtime packers: The hidden problem? https://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Morgenstern.pdf, 2006.
 
16
M. Christodorescu, J. Kinder, S. Jha, S. Katzenbeisser, and H. Veith. Malware normalization. Technical Report 1539, University of Wisconsin, Madison, Wisconsin, USA, Nov. 2005.
 
17
Data Rescue. Universal PE Unpacker plug-in. http://www.datarescue.com/idabase/unpack_pe.
 
18
DataRescue SA. IDA Pro disassembler: Multi-processor, Windows hosted disassembler and debugger. http://www.datarescue.com/idabase/.
 
19
T. Graf. Generic unpacking: How to handle modified or unknown PE compression engines. http://www.virusbtn.com/pdf/conference_slides/2005/Graf.pdf, 2005.
20
Y. L. Huang , F. S. Ho , H. Y. Tsai , H. M. Kao, A control flow obfuscation method to discourage malicious tampering of software codes, Proceedings of the 2006 ACM Symposium on Information, computer and communications security, March 21-24, 2006, Taipei, Taiwan  [doi>10.1145/1128817.1128878]
 
21
Christopher Kruegel , William Robertson , Fredrik Valeur , Giovanni Vigna, Static disassembly of obfuscated binaries, Proceedings of the 13th conference on USENIX Security Symposium, p.18-18, August 09-13, 2004, San Diego, CA
22
Cullen Linn , Saumya Debray, Obfuscation of executable code to improve resistance to static disassembly, Proceedings of the 10th ACM conference on Computer and communications security, October 27-30, 2003, Washington D.C., USA  [doi>10.1145/948109.948149]
 
23
Project Malfease. http://malfease.oarci.net/.
 
24
McAfee. Advanced virus detection scan engine and DATs. http://www.mcafee.com/us/local_content/white_papers/wp_scan_engine.pdf.
 
25
Susanta Nanda , Wei Li , Lap-Chung Lam , Tzi-cker Chiueh, BIRD: Binary Interpretation using Runtime Disassembly, Proceedings of the International Symposium on Code Generation and Optimization, p.358-370, March 26-29, 2006  [doi>10.1109/CGO.2006.6]
 
26
Obsidium Software. Obsidium. http://www.obsidium.de/show.php?home.
 
27
Paul Royal , Mitch Halpin , David Dagon , Robert Edmonds , Wenke Lee, PolyUnpack: Automating the Hidden-Code Extraction of Unpack-Executing Malware, Proceedings of the 22nd Annual Computer Security Applications Conference on Annual Computer Security Applications Conference, p.289-300, December 11-15, 2006  [doi>10.1109/ACSAC.2006.38]
 
28
Silicon Realms Toolworks. Armadillo. http://siliconrealms.com/index.shtml.
 
29
Teggo. MoleBox Pro. http://www.molebox.com/download.shtml.
30
Michael Vrable , Justin Ma , Jay Chen , David Moore , Erik Vandekieft , Alex C. Snoeren , Geoffrey M. Voelker , Stefan Savage, Scalability, fidelity, and containment in the potemkin virtual honeyfarm, Proceedings of the twentieth ACM symposium on Operating systems principles, October 23-26, 2005, Brighton, United Kingdom

CITED BY  2
Roberto Perdisci , Andrea Lanzi , Wenke Lee, Classification of packed executables for accurate computer virus detection, Pattern Recognition Letters, v.29 n.14, p.1941-1946, October, 2008
Artem Dinaburg , Paul Royal , Monirul Sharif , Wenke Lee, Ether: malware analysis via hardware virtualization extensions, Proceedings of the 15th ACM conference on Computer and communications security, October 27-31, 2008, Alexandria, Virginia, USA

INDEX TERMS

Primary Classification:
  D. Software
  D.4 OPERATING SYSTEMS
      D.4.6 Security and Protection
          Subjects: Invasive software (e.g., viruses, worms, Trojan horses)

Additional Classification:
  D. Software
  D.2 SOFTWARE ENGINEERING
      D.2.7 Distribution, Maintenance, and Enhancement
          Subjects: Restructuring, reverse engineering, and reengineering


General Terms:
Security


Keywords:
code obfuscation, dynamic analysis, malware analysis, reverse engineering

Collaborative Colleagues:
Min Gyung Kang: colleagues
Pongsin Poosankam: colleagues
Heng Yin: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player