Renovo: A hidden code extractor for packed executables

Min Gyung Kang, Pongsin Poosankam, Heng Yin

Research output: Chapter in Book/Entry/PoemConference contribution

216 Scopus citations

Abstract

As reverse engineering becomes a prevalent technique to analyze malware, malware writers leverage various anti-reverse engineering techniques to hide their code. One technique commonly used is code packing as packed executables hinder code analysis. While this problem has been previously researched, the existing solutions are either unable to handle novel samples, or vulnerable to various evasion techniques. In this paper, we propose a fully dynamic approach that captures an intrinsic nature of hidden code execution that the original code should be present in memory and executed at some point at run-time. Thus, this approach monitors program execution and memory writes at run-time, determines if the code under execution is newly generated, and then extracts the hidden code of the executable. To demonstrate its effectiveness, we implement a system, Renovo, and evaluate it with a large number of real-world malware samples. The experiments show that Renovo is accurate compared to previous work, yet practical in terms of performance.

Original languageEnglish (US)
Title of host publicationWORM'07 - Proceedings of the 2007 ACM Workshop on Recurring Malcode
Pages46-53
Number of pages8
DOIs
StatePublished - 2007
Event2007 ACM Workshop on Recurring Malcode, WORM'07 - Alexandria, VA, United States
Duration: Nov 2 2007Nov 2 2007

Publication series

NameWORM'07 - Proceedings of the 2007 ACM Workshop on Recurring Malcode

Other

Other2007 ACM Workshop on Recurring Malcode, WORM'07
Country/TerritoryUnited States
CityAlexandria, VA
Period11/2/0711/2/07

Keywords

  • Code Obfuscation
  • Dynamic Analysis
  • Malware Analysis
  • Reverse Engineering

ASJC Scopus subject areas

  • Computational Theory and Mathematics
  • Software

Fingerprint

Dive into the research topics of 'Renovo: A hidden code extractor for packed executables'. Together they form a unique fingerprint.

Cite this