TY - GEN
T1 - Renovo
T2 - 2007 ACM Workshop on Recurring Malcode, WORM'07
AU - Kang, Min Gyung
AU - Poosankam, Pongsin
AU - Yin, Heng
PY - 2007
Y1 - 2007
N2 - As reverse engineering becomes a prevalent technique to analyze malware, malware writers leverage various anti-reverse engineering techniques to hide their code. One technique commonly used is code packing as packed executables hinder code analysis. While this problem has been previously researched, the existing solutions are either unable to handle novel samples, or vulnerable to various evasion techniques. In this paper, we propose a fully dynamic approach that captures an intrinsic nature of hidden code execution that the original code should be present in memory and executed at some point at run-time. Thus, this approach monitors program execution and memory writes at run-time, determines if the code under execution is newly generated, and then extracts the hidden code of the executable. To demonstrate its effectiveness, we implement a system, Renovo, and evaluate it with a large number of real-world malware samples. The experiments show that Renovo is accurate compared to previous work, yet practical in terms of performance.
AB - As reverse engineering becomes a prevalent technique to analyze malware, malware writers leverage various anti-reverse engineering techniques to hide their code. One technique commonly used is code packing as packed executables hinder code analysis. While this problem has been previously researched, the existing solutions are either unable to handle novel samples, or vulnerable to various evasion techniques. In this paper, we propose a fully dynamic approach that captures an intrinsic nature of hidden code execution that the original code should be present in memory and executed at some point at run-time. Thus, this approach monitors program execution and memory writes at run-time, determines if the code under execution is newly generated, and then extracts the hidden code of the executable. To demonstrate its effectiveness, we implement a system, Renovo, and evaluate it with a large number of real-world malware samples. The experiments show that Renovo is accurate compared to previous work, yet practical in terms of performance.
KW - Code Obfuscation
KW - Dynamic Analysis
KW - Malware Analysis
KW - Reverse Engineering
UR - http://www.scopus.com/inward/record.url?scp=70349448915&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=70349448915&partnerID=8YFLogxK
U2 - 10.1145/1314389.1314399
DO - 10.1145/1314389.1314399
M3 - Conference contribution
AN - SCOPUS:70349448915
SN - 9781595938862
T3 - WORM'07 - Proceedings of the 2007 ACM Workshop on Recurring Malcode
SP - 46
EP - 53
BT - WORM'07 - Proceedings of the 2007 ACM Workshop on Recurring Malcode
Y2 - 2 November 2007 through 2 November 2007
ER -