{"title":"比较恶意软件样本拆封:可行性研究","authors":"Ryoichi Isawa, M. Morii, D. Inoue","doi":"10.1109/AsiaJCIS.2016.28","DOIUrl":null,"url":null,"abstract":"When an analyst examines the binary of malware to obtain some useful information for defense and mitigation, she is often required to extract its original binary first. Packing is the reason of this. Usually, malware authors pack (encrypt and/or compress) their malware to hinder code analysis, making it necessary for analysts to spend a great deal of time on unpacking. Towards effective malware analysis, this paper presents an automated original-entry-point detector called OEPdet. If the original entry point (OEP) of malware is found after the malware is executed, an analyst can smoothly begin to examine the original binary starting at the OEP. OEPdet takes as input two malware samples to find part of the original binary shared between those samples. It then detects the OEP based on that shared binary. This is based on the fact that many malware samples are often generated with a variety of source code shared with others at function or snippet granularity. The experiments using some malware samples confirm OEPdet is feasible to detect the OEP.","PeriodicalId":213242,"journal":{"name":"2016 11th Asia Joint Conference on Information Security (AsiaJCIS)","volume":"16 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2016-08-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"2","resultStr":"{\"title\":\"Comparing Malware Samples for Unpacking: A Feasibility Study\",\"authors\":\"Ryoichi Isawa, M. Morii, D. Inoue\",\"doi\":\"10.1109/AsiaJCIS.2016.28\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"When an analyst examines the binary of malware to obtain some useful information for defense and mitigation, she is often required to extract its original binary first. Packing is the reason of this. Usually, malware authors pack (encrypt and/or compress) their malware to hinder code analysis, making it necessary for analysts to spend a great deal of time on unpacking. Towards effective malware analysis, this paper presents an automated original-entry-point detector called OEPdet. If the original entry point (OEP) of malware is found after the malware is executed, an analyst can smoothly begin to examine the original binary starting at the OEP. OEPdet takes as input two malware samples to find part of the original binary shared between those samples. It then detects the OEP based on that shared binary. This is based on the fact that many malware samples are often generated with a variety of source code shared with others at function or snippet granularity. The experiments using some malware samples confirm OEPdet is feasible to detect the OEP.\",\"PeriodicalId\":213242,\"journal\":{\"name\":\"2016 11th Asia Joint Conference on Information Security (AsiaJCIS)\",\"volume\":\"16 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2016-08-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"2\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2016 11th Asia Joint Conference on Information Security (AsiaJCIS)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/AsiaJCIS.2016.28\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2016 11th Asia Joint Conference on Information Security (AsiaJCIS)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/AsiaJCIS.2016.28","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Comparing Malware Samples for Unpacking: A Feasibility Study
When an analyst examines the binary of malware to obtain some useful information for defense and mitigation, she is often required to extract its original binary first. Packing is the reason of this. Usually, malware authors pack (encrypt and/or compress) their malware to hinder code analysis, making it necessary for analysts to spend a great deal of time on unpacking. Towards effective malware analysis, this paper presents an automated original-entry-point detector called OEPdet. If the original entry point (OEP) of malware is found after the malware is executed, an analyst can smoothly begin to examine the original binary starting at the OEP. OEPdet takes as input two malware samples to find part of the original binary shared between those samples. It then detects the OEP based on that shared binary. This is based on the fact that many malware samples are often generated with a variety of source code shared with others at function or snippet granularity. The experiments using some malware samples confirm OEPdet is feasible to detect the OEP.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
