RePEF — A system for Restoring Packed Executable File for malware analysis

Abstract

Malware analysis technologies are important and essential for extracting the behavior of malicious program. However, in order to avoid detection and analysis, malware creators usually deploy packing techniques to achieve their goals. This kind of packing technique hides import table of program file, so that people can neither understand how to assembly code nor learn the structure of the PE file. Recently, Institute for Information Industry (III) developed the CSS technique which can be used to unpack PE file from the memory. Subsequently, we proposed a reconstructive method base on CSS to rebuild the dumped file which then can be executed correctly. The combination of CSS and the reconstructive method is named Restoring Packed Executable File (RePEF), which can be used to automatically reverse the packed PE file (UPX and ASPack) immaterial of running on either Windows or Linux platform. RePEF can also improve and ensure the successful rate of malware detection and dynamic analysis.