Many malicious programs we encounter these days are armed with their own custom encoding methods (i.e., they are packed) to deter static binary analysis. Thus, the initial step to deal with unknown (possibly malicious) binary samples obtained from malware collecting systems ordinarily involves the unpacking step. In this paper, we focus on empirical experimental evaluations on a generic unpacking method built on a dynamic binary instrumentation (DBI) framework to figure out the applicability of the DBI-based approach. First, we present yet another method of generic binary unpacking extending a conventional unpacking heuristic. Our architecture includes managing shadow states to measure code exposure according to a simple byte state model. Among available platforms, we built an unpacking implementation on PIN DBI framework. Second, we describe evaluation experiments, conducted on wild malware collections, to discuss workability as well as limitations of our tool. Without the prior knowledge of 6029 samples in the collections, we have identified at around 64% of those were analyzable with our DBI-based generic unpacking tool which is configured to operate in fully automatic batch processing. Purging corrupted and unworkable samples in native systems, it was 72%.
Hyung Chan KIM
Tatsunori ORII
Katsunari YOSHIOKA
Daisuke INOUE
Jungsuk SONG
Masashi ETO
Junji SHIKATA
Tsutomu MATSUMOTO
Koji NAKAO
The copyright of the original papers published on this site belongs to IEICE. Unauthorized use of the original or translated papers is prohibited. See IEICE Provisions on Copyright for details.
Copy
Hyung Chan KIM, Tatsunori ORII, Katsunari YOSHIOKA, Daisuke INOUE, Jungsuk SONG, Masashi ETO, Junji SHIKATA, Tsutomu MATSUMOTO, Koji NAKAO, "An Empirical Evaluation of an Unpacking Method Implemented with Dynamic Binary Instrumentation" in IEICE TRANSACTIONS on Information,
vol. E94-D, no. 9, pp. 1778-1791, September 2011, doi: 10.1587/transinf.E94.D.1778.
Abstract: Many malicious programs we encounter these days are armed with their own custom encoding methods (i.e., they are packed) to deter static binary analysis. Thus, the initial step to deal with unknown (possibly malicious) binary samples obtained from malware collecting systems ordinarily involves the unpacking step. In this paper, we focus on empirical experimental evaluations on a generic unpacking method built on a dynamic binary instrumentation (DBI) framework to figure out the applicability of the DBI-based approach. First, we present yet another method of generic binary unpacking extending a conventional unpacking heuristic. Our architecture includes managing shadow states to measure code exposure according to a simple byte state model. Among available platforms, we built an unpacking implementation on PIN DBI framework. Second, we describe evaluation experiments, conducted on wild malware collections, to discuss workability as well as limitations of our tool. Without the prior knowledge of 6029 samples in the collections, we have identified at around 64% of those were analyzable with our DBI-based generic unpacking tool which is configured to operate in fully automatic batch processing. Purging corrupted and unworkable samples in native systems, it was 72%.
URL: https://global.ieice.org/en_transactions/information/10.1587/transinf.E94.D.1778/_p
Copy
@ARTICLE{e94-d_9_1778,
author={Hyung Chan KIM, Tatsunori ORII, Katsunari YOSHIOKA, Daisuke INOUE, Jungsuk SONG, Masashi ETO, Junji SHIKATA, Tsutomu MATSUMOTO, Koji NAKAO, },
journal={IEICE TRANSACTIONS on Information},
title={An Empirical Evaluation of an Unpacking Method Implemented with Dynamic Binary Instrumentation},
year={2011},
volume={E94-D},
number={9},
pages={1778-1791},
abstract={Many malicious programs we encounter these days are armed with their own custom encoding methods (i.e., they are packed) to deter static binary analysis. Thus, the initial step to deal with unknown (possibly malicious) binary samples obtained from malware collecting systems ordinarily involves the unpacking step. In this paper, we focus on empirical experimental evaluations on a generic unpacking method built on a dynamic binary instrumentation (DBI) framework to figure out the applicability of the DBI-based approach. First, we present yet another method of generic binary unpacking extending a conventional unpacking heuristic. Our architecture includes managing shadow states to measure code exposure according to a simple byte state model. Among available platforms, we built an unpacking implementation on PIN DBI framework. Second, we describe evaluation experiments, conducted on wild malware collections, to discuss workability as well as limitations of our tool. Without the prior knowledge of 6029 samples in the collections, we have identified at around 64% of those were analyzable with our DBI-based generic unpacking tool which is configured to operate in fully automatic batch processing. Purging corrupted and unworkable samples in native systems, it was 72%.},
keywords={},
doi={10.1587/transinf.E94.D.1778},
ISSN={1745-1361},
month={September},}
Copy
TY - JOUR
TI - An Empirical Evaluation of an Unpacking Method Implemented with Dynamic Binary Instrumentation
T2 - IEICE TRANSACTIONS on Information
SP - 1778
EP - 1791
AU - Hyung Chan KIM
AU - Tatsunori ORII
AU - Katsunari YOSHIOKA
AU - Daisuke INOUE
AU - Jungsuk SONG
AU - Masashi ETO
AU - Junji SHIKATA
AU - Tsutomu MATSUMOTO
AU - Koji NAKAO
PY - 2011
DO - 10.1587/transinf.E94.D.1778
JO - IEICE TRANSACTIONS on Information
SN - 1745-1361
VL - E94-D
IS - 9
JA - IEICE TRANSACTIONS on Information
Y1 - September 2011
AB - Many malicious programs we encounter these days are armed with their own custom encoding methods (i.e., they are packed) to deter static binary analysis. Thus, the initial step to deal with unknown (possibly malicious) binary samples obtained from malware collecting systems ordinarily involves the unpacking step. In this paper, we focus on empirical experimental evaluations on a generic unpacking method built on a dynamic binary instrumentation (DBI) framework to figure out the applicability of the DBI-based approach. First, we present yet another method of generic binary unpacking extending a conventional unpacking heuristic. Our architecture includes managing shadow states to measure code exposure according to a simple byte state model. Among available platforms, we built an unpacking implementation on PIN DBI framework. Second, we describe evaluation experiments, conducted on wild malware collections, to discuss workability as well as limitations of our tool. Without the prior knowledge of 6029 samples in the collections, we have identified at around 64% of those were analyzable with our DBI-based generic unpacking tool which is configured to operate in fully automatic batch processing. Purging corrupted and unworkable samples in native systems, it was 72%.
ER -