Article

Renovo: a hidden code extractor for packed executables

Authors:

Min Gyung Kang,

Pongsin Poosankam,

Heng YinAuthors Info & Claims

WORM '07: Proceedings of the 2007 ACM workshop on Recurring malcode

Pages 46 - 53

https://doi.org/10.1145/1314389.1314399

Published: 02 November 2007 Publication History

Abstract

As reverse engineering becomes a prevalent technique to analyze malware, malware writers leverage various anti-reverse engineering techniques to hide their code. One technique commonly used is code packing as packed executables hinder code analysis. While this problem has been previously researched, the existing solutions are either unable to handle novel samples, or vulnerable to various evasion techniques. In this paper, we propose a fully dynamic approach that captures an intrinsic nature of hidden code execution that the original code should be present in memory and executed at some point at run-time. Thus, this approach monitors program execution and memory writes at run-time, determines if the code under execution is newly generated, and then extracts the hidden code of the executable. To demonstrate its effectiveness, we implement a system, Renovo, and evaluate it with a large number of real-world malware samples. The experiments show that Renovo is accurate compared to previous work, yet practical in terms of performance

References

[1]

Anubis. http://analysis.seclab.tuwien.ac.at.

[2]

BitBlaze Binary Analysis Platform. http://bitblaze.cs.berkeley.edu/.

[3]

Norman SandBox Information Center. http://www.norman.com.

[4]

OllyBonE. http://www.joestewart.org/ollybone/.

[5]

OllyDbg. http://www.ollydbg.de/.

[6]

PEiD. http://www.secretashell.com/codomain/peid/.

[7]

Red Pill. http://invisiblethings.org/papers/redpill.html.

[8]

TEMU: The BitBlaze Dynamic Analysis Component. http://bitblaze.cs.berkeley.edu/temu.html.

[9]

The Unpacker Archive. http://www.woodmann.com/crackz/Tools/Unpckarc.zip.

[10]

Themida. http://www.oreans.com/.

[11]

Yoda Protector. http://sourceforge.net/projects/yodap/.

[12]

ASPack Software. ASPack and ASProtect. http://www.aspack.com/.

[13]

S. Bhatkar, D. C. DuVarney, and R. Sekar. Address obfuscation: An efficient approach to combat a broad range of memory error exploits. In Proceedings of the 12th USENIX Security Symposium, August 2003.

Digital Library

[14]

Bitsum Technologies. PECompact2. http://www.bitsum.com/pec2.asp.

[15]

T. Brosch and M. Morgenstern. Runtime packers: The hidden problem? https://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Morgenstern.pdf, 2006.

[16]

M. Christodorescu, J. Kinder, S. Jha, S. Katzenbeisser, and H. Veith. Malware normalization. Technical Report 1539, University of Wisconsin, Madison, Wisconsin, USA, Nov. 2005.

[17]

Data Rescue. Universal PE Unpacker plug-in. http://www.datarescue.com/idabase/unpack_pe.

[18]

DataRescue SA. IDA Pro disassembler: Multi-processor, Windows hosted disassembler and debugger. http://www.datarescue.com/idabase/.

[19]

T. Graf. Generic unpacking: How to handle modified or unknown PE compression engines. http://www.virusbtn.com/pdf/conference_slides/2005/Graf.pdf, 2005.

[20]

Y. L. Huang, F. S. Ho, H. Y. Tsai, and H. M. Kao. A control flow obfuscation method to discourage malicious tampering of software codes. In ASIACCS'06: Proceedings of the 2006 ACM Symposium on Information, computer and communications security, pages 362--362, New York, NY, USA, 2006. ACM Press.

Digital Library

[21]

C. Kruegel, W. Robertson, F. Valeur, and G. Vigna. Static disassembly of obfuscated binaries. In Proceedings of the 13th USENIX Security Symposium, 2004.

Digital Library

[22]

C. Linn and S. Debray. Obfuscation of executable code to improve resistance to static disassembly. In CCS '03: Proceedings of the 10th ACM conference on Computer and communications security, pages 290--299, New York, NY, USA, 2003. ACM Press.

Digital Library

[23]

Project Malfease. http://malfease.oarci.net/.

[24]

McAfee. Advanced virus detection scan engine and DATs. http://www.mcafee.com/us/local_content/white_papers/wp_scan_engine.pdf.

[25]

S. Nanda, W. Li, L. Lam, and T. Chiueh. BIRD: Binary interpretation using runtime disassembly. In CGO '06: Proceedings of the International Symposium on Code Generation and Optimization, pages 358--370, Washington, DC, USA, 2006. IEEE Computer Society.

Digital Library

[26]

Obsidium Software. Obsidium. http://www.obsidium.de/show.php?home.

[27]

P. Royal, M. Halpin, D. Dagon, R. Edmonds, and W. Lee. PolyUnpack: Automating the hidden-code extraction of unpack-executing malware. In ACSAC '06: Proceedings of the 22nd Annual Computer Security Applications Conference on Annual Computer Security Applications Conference, pages 289--300, Washington, DC, USA, 2006. IEEE Computer Society.

Digital Library

[28]

Silicon Realms Toolworks. Armadillo. http://siliconrealms.com/index.shtml.

[29]

Teggo. MoleBox Pro. http://www.molebox.com/download.shtml.

[30]

M. Vrable, J. Ma, J. Chen, D. Moore, E. Vandekieft, A. Snoeren, G. Voelker, and S. Savage. Scalability, fidelity and containment in the potemkin virtual honeyfarm. In Proceedings of the ACM Symposium on Operating Systems Principles (SOSP), October 2005.

Digital Library

Cited By

Lee GKim MYi JCho H(2024)Pinicorn: Towards Automated Dynamic Analysis for Unpacking 32-Bit PE MalwareElectronics10.3390/electronics1311208113:11(2081)Online publication date: 27-May-2024
https://doi.org/10.3390/electronics13112081
Pham TOgawa M(2024)Original Entry Point Detection Based on Graph SimilarityFoundations and Practice of Security10.1007/978-3-031-57537-2_22(355-371)Online publication date: 25-Apr-2024
https://doi.org/10.1007/978-3-031-57537-2_22
Jenke TLiessem SPadilla EBruckschen L(2024)A Measurement Study on Interprocess Code Propagation of Malicious SoftwareDigital Forensics and Cyber Crime10.1007/978-3-031-56583-0_18(264-282)Online publication date: 3-Apr-2024
https://doi.org/10.1007/978-3-031-56583-0_18
Show More Cited By

Index Terms

Renovo: a hidden code extractor for packed executables
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
  2. Systems security
    1. Operating systems security
2. Software and its engineering
  1. Software creation and management
    1. Software post-development issues
      1. Software reverse engineering

Recommendations

Ether: malware analysis via hardware virtualization extensions
CCS '08: Proceedings of the 15th ACM conference on Computer and communications security

Malware has become the centerpiece of most security threats on the Internet. Malware analysis is an essential technology that extracts the runtime behavior of malware, and supplies signatures to detection systems and provides evidence for recovery and ...
JSDES: An Automated De-Obfuscation System for Malicious JavaScript
ARES '17: Proceedings of the 12th International Conference on Availability, Reliability and Security

Malicious scripts used in web-based attacks have recently been reported as one of the top internet security threats. However, anti-malware solutions develop and integrate various techniques to defend against malicious scripts, attackers have been ...
A Survey On Automated Dynamic Malware Analysis Evasion and Counter-Evasion: PC, Mobile, and Web
ROOTS: Proceedings of the 1st Reversing and Offensive-oriented Trends Symposium

Automated dynamic malware analysis systems are important in combating the proliferation of modern malware. Unfortunately, malware can often easily detect and evade these systems. Competition between malware authors and analysis system developers has ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

WORM '07: Proceedings of the 2007 ACM workshop on Recurring malcode

November 2007

76 pages

ISBN:9781595938862

DOI:10.1145/1314389

Program Chair:
Christopher Kruegel
Technical University Vienna, Austria

Copyright © 2007 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 02 November 2007

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

CCS07

Sponsor:

CCS07: 14th ACM Conference on Computer and Communications Security 2007

November 2, 2007

Virginia, Alexandria, USA

Upcoming Conference

CCS '24

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

175
Total Citations
View Citations
1,116
Total Downloads

Downloads (Last 12 months)35
Downloads (Last 6 weeks)3

Reflects downloads up to 23 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Lee GKim MYi JCho H(2024)Pinicorn: Towards Automated Dynamic Analysis for Unpacking 32-Bit PE MalwareElectronics10.3390/electronics1311208113:11(2081)Online publication date: 27-May-2024
https://doi.org/10.3390/electronics13112081
Pham TOgawa M(2024)Original Entry Point Detection Based on Graph SimilarityFoundations and Practice of Security10.1007/978-3-031-57537-2_22(355-371)Online publication date: 25-Apr-2024
https://doi.org/10.1007/978-3-031-57537-2_22
Jenke TLiessem SPadilla EBruckschen L(2024)A Measurement Study on Interprocess Code Propagation of Malicious SoftwareDigital Forensics and Cyber Crime10.1007/978-3-031-56583-0_18(264-282)Online publication date: 3-Apr-2024
https://doi.org/10.1007/978-3-031-56583-0_18
Kawakoya YAkabane SIwamura MOkamoto T(2023)Xunpack: Cross-Architecture Unpacking for Linux IoT MalwareProceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3607199.3607214(471-484)Online publication date: 16-Oct-2023
https://dl.acm.org/doi/10.1145/3607199.3607214
Asghar HZhao BIkram MNguyen GKaafar DLamont SCoscia D(2023)Use of cryptography in malware obfuscationJournal of Computer Virology and Hacking Techniques10.1007/s11416-023-00504-yOnline publication date: 25-Sep-2023
https://doi.org/10.1007/s11416-023-00504-y
Jenke TPadilla EBruckschen L(2023)Towards Generic Malware Unpacking: A Comprehensive Study on the Unpacking Behavior of Malicious Run-Time PackersSecure IT Systems10.1007/978-3-031-47748-5_14(245-262)Online publication date: 8-Nov-2023
https://doi.org/10.1007/978-3-031-47748-5_14
Nappa AÚbeda-Portugués APapadopoulos PVarvello MTapiador JLanzi A(2022)Scramblesuit: An effective timing side-channels framework for malware sandbox evasion1Journal of Computer Security10.3233/JCS-22000530:6(851-876)Online publication date: 23-Nov-2022
https://doi.org/10.3233/JCS-220005
Usui TOtsuki YKawakoya YIwamura MMatsuura K(2022)Script Tainting Was Doomed From The Start (By Type Conversion): Converting Script Engines into Dynamic Taint Analysis FrameworksProceedings of the 25th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3545948.3545969(380-394)Online publication date: 26-Oct-2022
https://dl.acm.org/doi/10.1145/3545948.3545969
Muralidharan TCohen AGerson NNissim N(2022)File Packing from the Malware Perspective: Techniques, Analysis Approaches, and Directions for EnhancementsACM Computing Surveys10.1145/353081055:5(1-45)Online publication date: 3-Dec-2022
https://dl.acm.org/doi/10.1145/3530810
Jung CKim DChen AWang WZheng YLee KKwon YDwyer MDamian DZeller A(2022)Hiding critical program components via ambiguous translationProceedings of the 44th International Conference on Software Engineering10.1145/3510003.3510139(1120-1132)Online publication date: 21-May-2022
https://dl.acm.org/doi/10.1145/3510003.3510139
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents