In this work we explored the possibility to exploit the functionality of a dynamic binary instrumentation framework to perform runtime unpacking. Our system can extract and reconstruct the original program from a packed version of it, speeding up the analysis of an obfuscated binary. Packers employ different techniques with various levels of complexity, but all of them must share one common behavior during the run-time unpacking: they have to write new code in memory and eventually execute it. Starting from this observation, we have designed a generic unpacking algorithm that can correctly detect this behavior and defeat the most popular packing techniques. Our tool also takes care of other modern techniques such as unpacking on dynamic memory allocated areas, and Import Address Table (IAT) obfuscation. When it is not possible to reconstruct a fully working PE, we provide all the memory dumps, representing the unpacked program along with a log of the unpacking process, which can be useful to malware analysts to speed up their task.
To validate our work, we have conducted two experiments: the first one demonstrates the generality of our unpacking process with respect to fifteen different known packers, while the second one demonstrates the effectiveness of our system against malware samples packed with both known and unknown packers.
Sebastiano Mariani is a student at Politecnico di Milano, graduating at the end of April 2016. He is passionate about computer security in all its aspect from penetration testing (for which he tested his skills obtaining the OSCP certificate) to malware analysis (his current area of study).
Lorenzo Fontana is a Computer Science student at the Politecnico of Milan. He has always been interested in computer security and is an active participant of bug bounty programs like the Google VRP, Microsoft and AT&T. His current area of study is malware analysis - in particular how it is possible to leverage DBI framework to solve the challenges of this field.
Stefano is an Advisory Consultant for the RSA Incident Response Practice. He is an experienced Incident Responder focused on Malware Analysis, Network Analysis and Reverse Engineering, and has been part of early communities of European hackers and crackers of the nineties. When he hears words like BBS, smartmodem, ANSI art he always becomes nostalgic. Prior to RSA, Stefano worked for Digital, HP, Cisco and other companies worldwide. He is also a founder of Black Sun Labs, an Italian research center focused on cybercrime analyses and investigations supporting the Italian government.