x64Unpack: Hybrid Emulation Unpacker for 64-bit Windows Environments and Detailed Analysis Results on VMProtect 3.4

Choi, Seokwoo; Chang, Taejoo; Kim, Changhyun; Park, Yong-Su

doi:10.1109/access.2020.3008900

Cited by 9 publications

(19 citation statements)

References 20 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…These techniques include anti-debugging, anti-virtual machine, and anti-emulation strategies that complicate the analysis process. Previous studies have successfully bypassed such techniques in commercial protectors and unpacked malware protected by known packers [5,7,16,17]. However, challenges persist with unknown packers, and research is ongoing to overcome these obstacles from yet unidentified packers.…”

Section: Anti-analysis Techniquesmentioning

confidence: 99%

“…These tools go beyond simple compression; they integrate sophisticated anti-analysis and obfuscation techniques into binaries. Packed malware, with its original code encrypted, presents significant detection and analysis challenges, especially in debugger or sandbox environments [5][6][7].…”

Section: Introductionmentioning

confidence: 99%

“…Packers play a pivotal role in malware obfuscation, often removing the entry point and import table during the packing process. While earlier research efforts have centered on detecting the OEP and rebuilding the import table of packed malware, packers have evolved, adopting advanced obfuscation techniques to counter these measures [5,7]. A notable study, API-Xray, has effectively tackled the challenge of reconstructing import tables in obfuscated malware contexts, revealing that 9.5% of resistant malware samples employed both OEP and API obfuscation [8].…”

mentioning

confidence: 99%

See 2 more Smart Citations

Pinicorn: Towards Automated Dynamic Analysis for Unpacking 32-Bit PE Malware

Lee,

Kim,

et al. 2024

Electronics

View full text Add to dashboard Cite

Original Entry Point (OEP) and API obfuscation techniques greatly hinder the analysis of malware. Contemporary packers, employing these sophisticated obfuscation strategies, continue to pose unresolved challenges, despite extensive research efforts. Recent studies, like API-Xray, have mainly concentrated on rebuilding obfuscated import tables in malware, but research into OEP obfuscation is still limited. As a solution, we present Pinicorn, an automated dynamic de-obfuscation system designed to tackle these complexities. Pinicorn bypasses packers’ anti-analysis techniques and retrieves the original program from memory. It is specifically designed to detect and analyze trampoline codes within both OEP and the import table. Our evaluation shows that Pinicorn successfully deobfuscates programs hidden by three different packers, confirming its effectiveness through a comparative analysis with their original versions. Furthermore, we conducted experiments on malware obfuscated by Themida and VMProtect, analyzing the obfuscation techniques and successfully de-obfuscating them to validate the effectiveness of our approach.

show abstract

Section: Anti-analysis Techniquesmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

mentioning

confidence: 99%

See 1 more Smart Citation

Pinicorn: Towards Automated Dynamic Analysis for Unpacking 32-Bit PE Malware

Lee,

Kim,

et al. 2024

Electronics

View full text Add to dashboard Cite

show abstract

“…PEB, one of the basic data structures used in Windows OS, loads process information, and PEB information exists in all processes running in the OS [25]. PEB is defined as a single structure and is a data structure containing process load information [26].…”

Section: Observing Peb Data Of Processmentioning

confidence: 99%

Detection and Blocking Method against DLL Injection Attack Using PEB-LDR of ICS EWS in Smart IoT Environments

Kim¹,

Kim²,

Shin³

2022

Journal of Internet Technology

View full text Add to dashboard Cite

<p>Modern Industrial Control System (ICS) can provide vast functions as the introduction of IT technology is established along with the introduction of the IoT environment. Engineering Workstation (EWS) used by ICS is widely used to efficiently manage and control industrial devices including smart IoT devices. However, the DLL injection attack in ICS is not high in difficulty compared to the risk, but it can cause fatal malfunction. If an attack is carried out targeting the EWS, it may cause erroneous operation in many control devices, including IoT devices, cause fatal accidents throughout the Supervisory Control and Data Acquisition (SCADA) system. In this paper, we present a method to detect DLL injection attacks by specializing in EWS used in ICS in IoT environment and purpose a method to detect data changes due to DLL injection attacks by analyzing and utilizing PEB-LDR data. Also, we purpose a method to detect and block execution when a malicious DLL is suspected to be loaded by DLL injection.</p> <p> </p>

show abstract

“…Choi, Seokwoo, et al [9] proposed x64Unpack, which analyzes the packed executable file and unpacks it. In addition, the study presents analysis results on how the program packed with VMProtect 3.4 works using x64Unpack and which API is used.…”

Section: Related Workmentioning

confidence: 99%