Title :
A Unpacking and Reconstruction System-AGUnpacker
Author :
Yu San-Chao ; Li Yi-Chao
Author_Institution :
Dept. Sch. of Comput. Sci. & Eng., Univ. of Electron. Sci. & Technol. of China, Chengdu, China
Abstract :
Malware are packed to create new variants in order to evade signature-based detector or reverse engineering(RE). According to the primary behaviors of packing, which are code obfuscation, PE formats modification and Anti-technique, a solution-AGUnpacker is proposed. For code obfuscation, AGUnpacker decides when the object program has decrypted itself completely in memory on the basis of stack balance role, intersection jump role and the characteristics of entrance. For PE formats modification, after locating Import Address Table (IAT) by monitoring all of the call instructions, a forensics tracing technique to restore the items in IAT, which are unmatched with Export Table items of DLL, is presented to obtain a runnable binary. In order to bypass antitechnique, our system is implemented by taking over exceptions through common ways. Empirical testing indicates that AGUpacker can deal with both known and unknown packer independent of packing algorithms and it is faster than existing unpackers such as PolyUnpack significantly.
Keywords :
invasive software; object-oriented programming; program diagnostics; reverse engineering; DLL; PE formats antitechnique; PE formats modification; PolyUnpack; automatic and generic unpacker; code obfuscation; forensics tracing technique; import address table; intersection jump role; malware; object program; reverse engineering; signature based detector; stack balance role; Computer science; Detectors; Forensics; Image coding; Image reconstruction; Image restoration; Monitoring; Protection; Reverse engineering; Testing;
Conference_Titel :
Computer Network and Multimedia Technology, 2009. CNMT 2009. International Symposium on
Conference_Location :
Wuhan
Print_ISBN :
978-1-4244-5272-9
DOI :
10.1109/CNMT.2009.5374512
