Reverse Engineering Self-Modifying Code: Unpacker Extraction

An important application of binary-level reverse engineering is in reconstructing the internal logic of computer malware. Most malware code is distributed in encrypted (or "packed") form, at runtime, an unpacker routine transforms this to the original executable form of the code, which is then executed. Most of the existing work on analysis of such programs focuses on detecting unpacking and extracting the unpacked code. However, this does not shed any light on the functionality of different portions of the code so obtained, and in particular does not distinguish between code that performs unpacking and code that does not, identifying such functionality can be helpful for reverse engineering the code. This paper describes a technique for identifying and extracting the unpacker code in a self-modifying program. Our algorithm uses offline analysis of a dynamic instruction trace both to identify the point(s) where unpacking occurs and to identify and extract the corresponding unpacker code.

[1]  Ken Chiang,et al.  A Case Study of the Rustock Rootkit and Spam Bot , 2007, HotBots.

[2]  Cynthia A. Phillips,et al.  Constructing Computer Virus Phylogenies , 1996, J. Algorithms.

[3]  Heng Yin,et al.  Renovo: a hidden code extractor for packed executables , 2007, WORM '07.

[4]  Somesh Jha,et al.  OmniUnpack: Fast, Generic, and Safe Unpacking of Malware , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[5]  Andrew Walenstein,et al.  Malware Phylogeny Using Maximal πPatterns , 2005 .

[6]  Lorie M. Liebrock,et al.  Visualizing compiled executables for malware analysis , 2009, 2009 6th International Workshop on Visualization for Cyber Security.

[7]  Kevin Coogan,et al.  Automatic Static Unpacking of Malware Binaries , 2009, 2009 16th Working Conference on Reverse Engineering.

[8]  Andrew Walenstein,et al.  Malware phylogeny generation using permutations of code , 2005, Journal in Computer Virology.

[9]  Using dual-mappings to evade automated unpackers , 2008 .

[10]  Tao Wei,et al.  Component similarity based methods for automatic analysis of malicious executables , 2007 .

[11]  Wenke Lee,et al.  Ether: malware analysis via hardware virtualization extensions , 2008, CCS.

[12]  Marius Gheorghescu AN AUTOMATED VIRUS CLASSIFICATION SYSTEM , 2006 .

[13]  S. Katzenbeisser,et al.  Malware Normalization , 2005 .

[14]  Saumya K. Debray,et al.  On the Semantics of Self-Unpacking Malware Code ∗ , 2008 .

[15]  Wenke Lee,et al.  PolyUnpack: Automating the Hidden-Code Extraction of Unpack-Executing Malware , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).