QEMU, a fast and portable dynamic translator
ATEC '05 Proceedings of the annual conference on USENIX Annual Technical Conference
Renovo: a hidden code extractor for packed executables
Proceedings of the 2007 ACM workshop on Recurring malcode
Automatic Reverse Engineering of Malware Emulators
SP '09 Proceedings of the 2009 30th IEEE Symposium on Security and Privacy
dAnubis: dynamic device driver analysis based on virtual machine introspection
DIMVA'10 Proceedings of the 7th international conference on Detection of intrusions and malware, and vulnerability assessment
Collective classification for packed executable identification
Proceedings of the 8th Annual Collaboration, Electronic messaging, Anti-Abuse and Spam Conference
Deobfuscation of virtualization-obfuscated software: a semantics-based approach
Proceedings of the 18th ACM conference on Computer and communications security
Multi-stage binary code obfuscation using improved virtual machine
ISC'11 Proceedings of the 14th international conference on Information security
Replacement attacks against VM-protected applications
VEE '12 Proceedings of the 8th ACM SIGPLAN/SIGOPS conference on Virtual Execution Environments
A survey of main memory acquisition and analysis techniques for the windows operating system
Digital Investigation: The International Journal of Digital Forensics & Incident Response
SMT solvers for software security
WOOT'12 Proceedings of the 6th USENIX conference on Offensive Technologies
Boosting scalability in anomaly-based packed executable filtering
Inscrypt'11 Proceedings of the 7th international conference on Information Security and Cryptology
Dissecting SpyEye - Understanding the design of third generation botnets
Computer Networks: The International Journal of Computer and Telecommunications Networking
DIVILAR: diversifying intermediate language for anti-repackaging on android platform
Proceedings of the 4th ACM conference on Data and application security and privacy
Hi-index | 0.00 |
Nearly every malware sample is sheathed in an executable protection which must be removed before static analyses can proceed. Existing research has studied automatically unpacking certain protections, but has not yet caught up with many modern techniques. Contrary to prior assumptions, protected programs do not always have the property that they are reverted to a fully unprotected state at some point during the course of their execution. This work provides a novel technique for circumventing one of the most problematic features of modern software protections, so-called virtualization obfuscation. The technique enables analysis of heretofore impenetrable malware.