Obfuscation-Resilient Executable Payload Extraction From Packed Malware Binlin Cheng, Hubei Normal University & Wuhan University; Jiang Ming, Erika A Leal, and Haotian Zhang, The University of Texas at Arlington; Jianming Fu and Guojun Peng, Wuhan University; Jean-Yves Marion, Université de Lorraine, CNRS, LORIA https://www.usenix.org/conference/usenixsecurity21/presentation/cheng-binlin This paper is included in the Proceedings of the 30th USENIX Security Symposium. August 11–13, 2021 978-1-939133-24-3 Open access to the Proceedings of the 30th USENIX Security Symposium is sponsored by USENIX. Obfuscation-Resilient Executable Payload Extraction From Packed Malware Binlin Cheng∗† Jiang Ming∗‡ Hubei Normal University & Wuhan University, China The University of Texas at Arlington, USA
[email protected] [email protected] Erika A Leal and Haotian Zhang Jianming Fu† and Guojun Peng† The University of Texas at Arlington, USA Wuhan University, China {erika.leal,haotian.zhang}@mavs.uta.edu {jmfu,guojpeng}@whu.edu.cn Jean-Yves Marion Université de Lorraine, CNRS, LORIA, F-54000 Nancy, France
[email protected] Abstract obfuscation schemes and more coverage on resolved Win- Over the past two decades, packed malware is always a ve- dows API names. Since July 2019, we have tested API-Xray ritable challenge to security analysts. Not only is determining in practice to assist security professionals in malware analy- the end of the unpacking increasingly difficult, but also advan- sis: we have successfully rebuilt 155;811 executable malware ced packers embed a variety of anti-analysis tricks to impede programs and substantially improved the detection rate for reverse engineering.