For Full-Text PDF, please login, if you are a member of IEICE,|
or go to Pay Per View on menu list, if you are a nonmember of IEICE.
BareUnpack: Generic Unpacking on the Bare-Metal Operating System
Binlin CHENG Pengwei LI
IEICE TRANSACTIONS on Information and Systems
Publication Date: 2018/12/01
Online ISSN: 1745-1361
Type of Manuscript: PAPER
Category: Information Network
malware analysis, environment-sensitive techniques, simulated environment, generic unpacker,
Full Text: PDF(515.9KB)>>
Malware has become a growing threat as malware writers have learned that signature-based detectors can be easily evaded by packing the malware. Packing is a major challenge to malware analysis. The generic unpacking approach is the major solution to the threat of packed malware, and it is based on the intrinsic nature of the execution of packed executables. That is, the original code should be extracted in memory and get executed at run-time. The existing generic unpacking approaches need a simulated environment to monitor the executing of the packed executables. Unfortunately, the simulated environment is easily detected by the environment-sensitive packers. It makes the existing generic unpacking approaches easily evaded by the packer. In this paper, we propose a novel unpacking approach, BareUnpack, to monitor the execution of the packed executables on the bare-metal operating system, and then extracts the hidden code of the executable. BareUnpack does not need any simulated environment (debugger, emulator or VM), and it works on the bare-metal operating system directly. Our experimental results show that BareUnpack can resist the environment-sensitive packers, and improve the unpacking effectiveness, which outperforms other existing unpacking approaches.