| Presentation | 2013-06-21 Generic Unpacking Method Using Data Execution Prevention Ryoichi ISAWA, Masaki KAMIZONO, Daisuke INOUE, |
|---|---|
| PDF Download Page |  PDF download Page Link |
| Abstract(in Japanese) | (See Japanese page) |
| Abstract(in English) | To skip unpacking steps, automated generic unpacking methods are strongly required. The basic idea of the generic unpacking is to find memory areas on which data was written and then executed. That is because the unpacker code of a packed file, no matter which packer is used, decrypts the original code, writes it to an area on the memory, and then executes it. DEP (data execution prevention) provides us a way to detect such areas. However, writing and executing data often occur on the memory, so that the candidates of the original entory point are created. In this paper, we propose a detection method that decides which candidate is true. Our method calculates an entropy value of the memory when a candidate is created. Next our method searches for API address values on the memory. The original point is determined by the two factors. The experiment shows that our method can detect each entry point of 14 packed files, in which the total number of packed files is 20. |
| Keyword(in Japanese) | (See Japanese page) |
| Keyword(in English) | Malware analysis / Packer / Kernel mode / NX bit |
| Paper # | IA2013-13,ICSS2013-13 |
| Date of Issue |
| Conference Information | |
| Committee | IA |
|---|---|
| Conference Date | 2013/6/13(1days) |
| Place (in Japanese) | (See Japanese page) |
| Place (in English) | |
| Topics (in Japanese) | (See Japanese page) |
| Topics (in English) | |
| Chair | |
| Vice Chair | |
| Secretary | |
| Assistant | |
| Paper Information | |
| Registration To | Internet Architecture(IA) |
|---|---|
| Language | JPN |
| Title (in Japanese) | (See Japanese page) |
| Sub Title (in Japanese) | (See Japanese page) |
| Title (in English) | Generic Unpacking Method Using Data Execution Prevention |
| Sub Title (in English) | |
| Keyword(1) | Malware analysis |
| Keyword(2) | Packer |
| Keyword(3) | Kernel mode |
| Keyword(4) | NX bit |
| 1st Author's Name | Ryoichi ISAWA |
| 1st Author's Affiliation | National Institute of Information and Communications Technology() |
| 2nd Author's Name | Masaki KAMIZONO |
| 2nd Author's Affiliation | National Institute of Information and Communications Technology:SecureBrain Corporation |
| 3rd Author's Name | Daisuke INOUE |
| 3rd Author's Affiliation | National Institute of Information and Communications Technology |
| Date | 2013-06-21 |
| Paper # | IA2013-13,ICSS2013-13 |
| Volume (vol) | vol.113 |
| Number (no) | 94 |
| Page | pp.pp.- |
| #Pages | 6 |
| Date of Issue | |