| Presentation | 2010-06-17 Automatic OEP Finding Method for Malware Unpacking Yuhei Kawakoya, Makoto Iwamura, Mitsutaka Itoh, |
|---|---|
| PDF Download Page |  PDF download Page Link |
| Abstract(in Japanese) | (See Japanese page) |
| Abstract(in English) | Malware analysts have to first extract hidden original code from a packed executable to analyze malware functionalities, since most of the recent malwares are obfuscated by a packer in order to disturb analysis process with debuggers and dis-assemblers. Several studies have been made on automatic extraction of hidden original code, which executes a malware on an isolated environment, monitor write memory accesses and instruction fetches at runtime, determines if the code under execution is newly generated and then dump specific memory areas into a file as a candidate of the original code. However, these previous proposed techniques create many dump files as candidates of the original code so that it is difficult to identify the true original code. In this paper, we propose a method of automatically picking out the true original code from many candidates depending on the change in memory access trend before and after dumping points. To demonstrate its effectiveness, we implement our proposed system and evaluate it with five malwares packed by five different packers. Our experiment data shows our proposed method achieves finding the original entry points of four malwares and getting original code of all five malwares. |
| Keyword(in Japanese) | (See Japanese page) |
| Keyword(in English) | Malware / Unpacking / OEP / Virtual Machine Monitor / Memory Access Trace |
| Paper # | IA2010-3,ICSS2010-3 |
| Date of Issue |
| Conference Information | |
| Committee | IA |
|---|---|
| Conference Date | 2010/6/10(1days) |
| Place (in Japanese) | (See Japanese page) |
| Place (in English) | |
| Topics (in Japanese) | (See Japanese page) |
| Topics (in English) | |
| Chair | |
| Vice Chair | |
| Secretary | |
| Assistant | |
| Paper Information | |
| Registration To | Internet Architecture(IA) |
|---|---|
| Language | JPN |
| Title (in Japanese) | (See Japanese page) |
| Sub Title (in Japanese) | (See Japanese page) |
| Title (in English) | Automatic OEP Finding Method for Malware Unpacking |
| Sub Title (in English) | |
| Keyword(1) | Malware |
| Keyword(2) | Unpacking |
| Keyword(3) | OEP |
| Keyword(4) | Virtual Machine Monitor |
| Keyword(5) | Memory Access Trace |
| 1st Author's Name | Yuhei Kawakoya |
| 1st Author's Affiliation | NTT Information Sharing and Platform Laboratories() |
| 2nd Author's Name | Makoto Iwamura |
| 2nd Author's Affiliation | NTT Information Sharing and Platform Laboratories |
| 3rd Author's Name | Mitsutaka Itoh |
| 3rd Author's Affiliation | NTT Information Sharing and Platform Laboratories |
| Date | 2010-06-17 |
| Paper # | IA2010-3,ICSS2010-3 |
| Volume (vol) | vol.110 |
| Number (no) | 78 |
| Page | pp.pp.- |
| #Pages | 6 |
| Date of Issue | |