By Topic

Memory behavior-based automatic malware unpacking in stealth debugging environment

Sign In

Cookies must be enabled to login.After enabling cookies , please use refresh or reload or ctrl+f5 on the browser for the login options.

Formats Non-Member Member
$33 $13
Learn how you can qualify for the best price for this item!
Become an IEEE Member or Subscribe to
IEEE Xplore for exclusive pricing!
close button

puzzle piece

IEEE membership options for an individual and IEEE Xplore subscriptions for an organization offer the most affordable access to essential journal articles, conference papers, standards, eBooks, and eLearning courses.

Learn more about:

IEEE membership

IEEE Xplore subscriptions

3 Author(s)
Kawakoya, Y. ; NTT Inf. Sharing & Platform Labs., Musashino, Japan ; Iwamura, M. ; Itoh, M.

Malware analysts have to first extract hidden original code from a packed executable to analyze malware because most recent malware is obfuscated by a packer in order to disrupt analysis by debuggers and dis-assemblers. There are several studies on automatic extraction of hidden original code, which executes malware in an isolated environment, monitors write memory accesses and instruction fetches at runtime, determines if the code under execution is newly generated, then dumps specific memory areas into a file as candidates for the original code. However, the conventional techniques output many dump files as candidates for the original code when experiments are conducted on malware in the wild. Thus, manual identification of the true original code is needed. In this paper, we present “memory behavior-based unpacking,” an algorithm that automatically identifies the true original code from among many candidates depending on the change in the trend of accessed memory addresses before and after the dumping points. To achieve this algorithm, we have implemented Stealth Debugger, a virtual machine monitor for debugging and monitoring all memory accesses of a process without interruption by any anti-debug functions of the malware. We have evaluated our proposed system by using malware obfuscated by various common packers. The results show that our proposed system successfully finds the original entry points and obtains the original code of the malware.

Published in:

Malicious and Unwanted Software (MALWARE), 2010 5th International Conference on

Date of Conference:

19-20 Oct. 2010