An empirical study of the reliability of UNIX utilities
Communications of the ACM
Communications of the ACM
Manufacturing cheap, resilient, and stealthy opaque constructs
POPL '98 Proceedings of the 25th ACM SIGPLAN-SIGACT symposium on Principles of programming languages
On the complexity of flow-sensitive dataflow analyses
Proceedings of the 27th ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Profile-guided code compression
PLDI '02 Proceedings of the ACM SIGPLAN 2002 Conference on Programming language design and implementation
Java Virtual Machine Specification
Java Virtual Machine Specification
Intraprocedural Static Slicing of Binary Executables
ICSM '97 Proceedings of the International Conference on Software Maintenance
Tamper Resistant Software: An Implementation
Proceedings of the First International Workshop on Information Hiding
Extracting safe and precise control flow from binaries
RTCSA '00 Proceedings of the Seventh International Conference on Real-Time Systems and Applications
Recovery of Jump Table Case Statements from Binary Code
IWPC '99 Proceedings of the 7th International Workshop on Program Comprehension
Disassembly of Executable Code Revisited
WCRE '02 Proceedings of the Ninth Working Conference on Reverse Engineering (WCRE'02)
Xen and the art of virtualization
SOSP '03 Proceedings of the nineteenth ACM symposium on Operating systems principles
Obfuscation of executable code to improve resistance to static disassembly
Proceedings of the 10th ACM conference on Computer and communications security
Using a Decompiler for Real-World Source Recovery
WCRE '04 Proceedings of the 11th Working Conference on Reverse Engineering
A Generic Attack on Checksumming-Based Software Tamper Resistance
SP '05 Proceedings of the 2005 IEEE Symposium on Security and Privacy
Pin: building customized program analysis tools with dynamic instrumentation
Proceedings of the 2005 ACM SIGPLAN conference on Programming language design and implementation
Efficient, transparent, and comprehensive runtime code manipulation
Efficient, transparent, and comprehensive runtime code manipulation
Hybrid static-dynamic attacks against software protection mechanisms
Proceedings of the 5th ACM workshop on Digital rights management
A Method for Detecting Obfuscated Calls in Malicious Binaries
IEEE Transactions on Software Engineering
Strengthening Software Self-Checksumming via Self-Modifying Code
ACSAC '05 Proceedings of the 21st Annual Computer Security Applications Conference
BIRD: Binary Interpretation using Runtime Disassembly
Proceedings of the International Symposium on Code Generation and Optimization
Practical analysis of stripped binary code
ACM SIGARCH Computer Architecture News - Special issue on the 2005 workshop on binary instrumentation and application
PolyUnpack: Automating the Hidden-Code Extraction of Unpack-Executing Malware
ACSAC '06 Proceedings of the 22nd Annual Computer Security Applications Conference
QEMU, a fast and portable dynamic translator
ATEC '05 Proceedings of the annual conference on USENIX Annual Technical Conference
Static disassembly of obfuscated binaries
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Toward Automated Dynamic Malware Analysis Using CWSandbox
IEEE Security and Privacy
Code Normalization for Self-Mutating Malware
IEEE Security and Privacy
Exploring Multiple Execution Paths for Malware Analysis
SP '07 Proceedings of the 2007 IEEE Symposium on Security and Privacy
Detours: binary interception of Win32 functions
WINSYM'99 Proceedings of the 3rd conference on USENIX Windows NT Symposium - Volume 3
Renovo: a hidden code extractor for packed executables
Proceedings of the 2007 ACM workshop on Recurring malcode
Virtual machine-provided context sensitive page mappings
Proceedings of the fourth ACM SIGPLAN/SIGOPS international conference on Virtual execution environments
Binary obfuscation using signals
SS'07 Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium
Decoupling dynamic program analysis from execution in virtual environments
ATC'08 USENIX 2008 Annual Technical Conference on Annual Technical Conference
A Study of the Packer Problem and Its Solutions
RAID '08 Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection
Ether: malware analysis via hardware virtualization extensions
Proceedings of the 15th ACM conference on Computer and communications security
Automatic Reverse Engineering of Malware Emulators
SP '09 Proceedings of the 2009 30th IEEE Symposium on Security and Privacy
Learning to analyze binary computer code
AAAI'08 Proceedings of the 23rd national conference on Artificial intelligence - Volume 2
Automatic Static Unpacking of Malware Binaries
WCRE '09 Proceedings of the 2009 16th Working Conference on Reverse Engineering
A model for self-modifying code
IH'06 Proceedings of the 8th international conference on Information hiding
A system for generating static analyzers for machine instructions
CC'08/ETAPS'08 Proceedings of the Joint European Conferences on Theory and Practice of Software 17th international conference on Compiler construction
Extracting compiler provenance from program binaries
Proceedings of the 9th ACM SIGPLAN-SIGSOFT workshop on Program analysis for software tools and engineering
Hybrid analysis and control of malware
RAID'10 Proceedings of the 13th international conference on Recent advances in intrusion detection
Reverse Engineering Self-Modifying Code: Unpacker Extraction
WCRE '10 Proceedings of the 2010 17th Working Conference on Reverse Engineering
Statically-directed dynamic automated test generation
Proceedings of the 2011 International Symposium on Software Testing and Analysis
Efficient, sensitivity resistant binary instrumentation
Proceedings of the 2011 International Symposium on Software Testing and Analysis
Labeling library functions in stripped binaries
Proceedings of the 10th ACM SIGPLAN-SIGSOFT workshop on Program analysis for software tools
Anywhere, any-time binary instrumentation
Proceedings of the 10th ACM SIGPLAN-SIGSOFT workshop on Program analysis for software tools
Hybrid analysis and control of malicious code
Hybrid analysis and control of malicious code
| Hi-index | 0.00 |
The first steps in analyzing defensive malware are understanding what obfuscations are present in real-world malware binaries, how these obfuscations hinder analysis, and how they can be overcome. While some obfuscations have been reported independently, this survey consolidates the discussion while adding substantial depth and breadth to it. This survey also quantifies the relative prevalence of these obfuscations by using the Dyninst binary analysis and instrumentation tool that was recently extended for defensive malware analysis. The goal of this survey is to encourage analysts to focus on resolving the obfuscations that are most prevalent in real-world malware.