BareUnpack: Generic Unpacking on the Bare-Metal Operating System

Binlin CHENG  Pengwei LI  

IEICE TRANSACTIONS on Information and Systems   Vol.E101-D   No.12   pp.3083-3091
Publication Date: 2018/12/01
Publicized: 2018/09/12
Online ISSN: 1745-1361
DOI: 10.1587/transinf.2017EDP7424
Type of Manuscript: PAPER
Category: Information Network
malware analysis,  environment-sensitive techniques,  simulated environment,  generic unpacker,  

Full Text: PDF(515.9KB)>>
Buy this Article

Malware has become a growing threat as malware writers have learned that signature-based detectors can be easily evaded by packing the malware. Packing is a major challenge to malware analysis. The generic unpacking approach is the major solution to the threat of packed malware, and it is based on the intrinsic nature of the execution of packed executables. That is, the original code should be extracted in memory and get executed at run-time. The existing generic unpacking approaches need a simulated environment to monitor the executing of the packed executables. Unfortunately, the simulated environment is easily detected by the environment-sensitive packers. It makes the existing generic unpacking approaches easily evaded by the packer. In this paper, we propose a novel unpacking approach, BareUnpack, to monitor the execution of the packed executables on the bare-metal operating system, and then extracts the hidden code of the executable. BareUnpack does not need any simulated environment (debugger, emulator or VM), and it works on the bare-metal operating system directly. Our experimental results show that BareUnpack can resist the environment-sensitive packers, and improve the unpacking effectiveness, which outperforms other existing unpacking approaches.