FRINK Linked Data Fragments server

Matches in SemOpenAlex for { <https://semopenalex.org/work/W2890434219> ?p ?o ?g. }

• W2890434219 abstract "Binary packing, encoding binary code prior to execution and decoding them at run time, is the most common obfuscation adopted by malware authors to camouflage malicious code. Especially, most packers recover the original code by going through a set of written-then-executed layers, which renders determining the end of the unpacking increasingly difficult. Many generic binary unpacking approaches have been proposed to extract packed binaries without the prior knowledge of packers. However, the high runtime overhead and lack of anti-analysis resistance have severely limited their adoptions. Over the past two decades, packed malware is always a veritable challenge to anti-malware landscape. This paper revisits the long-standing binary unpacking problem from a new angle: packers consistently obfuscate the standard use of API calls. Our in-depth study on an enormous variety of Windows malware packers at present leads to a common property: malware's Import Address Table (IAT), which acts as a lookup table for dynamically linked API calls, is typically erased by packers for further obfuscation; and then unpacking routine, like a custom dynamic loader, will reconstruct IAT before original code resumes execution. During a packed malware execution, if an API is invoked through looking up a rebuilt IAT, it indicates that the original payload has been restored. This insight motivates us to design an efficient unpacking approach, called BinUnpack. Compared to the previous methods that suffer from multiple written-then-executed unpacking layers, BinUnpack is free from tedious memory access monitoring, and therefore it introduces very small runtime overhead. To defeat a variety of ever-evolving evasion tricks, we design BinUnpack's API monitor module via a novel kernel-level DLL hijacking technique. We have evaluated BinUnpack's efficacy extensively with more than 238K packed malware and multiple Windows utilities. BinUnpack's success rate is significantly better than that of existing tools with several orders of magnitude performance boost. Our study demonstrates that BinUnpack can be applied to speeding up large-scale malware analysis." @default.
• W2890434219 created "2018-09-27" @default.
• W2890434219 creator A5003467063 @default.
• W2890434219 creator A5035259205 @default.
• W2890434219 creator A5054567629 @default.
• W2890434219 creator A5073257664 @default.
• W2890434219 creator A5076621366 @default.
• W2890434219 creator A5077716269 @default.
• W2890434219 creator A5088661712 @default.
• W2890434219 date "2018-10-15" @default.
• W2890434219 modified "2023-10-17" @default.
• W2890434219 title "Towards Paving the Way for Large-Scale Windows Malware Analysis" @default.
• W2890434219 cites W1497229971 @default.
• W2890434219 cites W1508225132 @default.
• W2890434219 cites W1538186256 @default.
• W2890434219 cites W1540198462 @default.
• W2890434219 cites W1575185166 @default.
• W2890434219 cites W165688198 @default.
• W2890434219 cites W1831259860 @default.
• W2890434219 cites W1892063863 @default.
• W2890434219 cites W1981033991 @default.
• W2890434219 cites W2001773409 @default.
• W2890434219 cites W2010203757 @default.
• W2890434219 cites W2010910232 @default.
• W2890434219 cites W2012737144 @default.
• W2890434219 cites W2046185165 @default.
• W2890434219 cites W2052854541 @default.
• W2890434219 cites W2068211976 @default.
• W2890434219 cites W2095476337 @default.
• W2890434219 cites W2096921767 @default.
• W2890434219 cites W2098492867 @default.
• W2890434219 cites W2100002952 @default.
• W2890434219 cites W2107576540 @default.
• W2890434219 cites W2111038628 @default.
• W2890434219 cites W2126734536 @default.
• W2890434219 cites W2128389850 @default.
• W2890434219 cites W2140807364 @default.
• W2890434219 cites W2143421017 @default.
• W2890434219 cites W2150423842 @default.
• W2890434219 cites W2151300580 @default.
• W2890434219 cites W2159702664 @default.
• W2890434219 cites W2159928814 @default.
• W2890434219 cites W2171035369 @default.
• W2890434219 cites W2433584005 @default.
• W2890434219 cites W2566565745 @default.
• W2890434219 cites W2601591992 @default.
• W2890434219 cites W2602912125 @default.
• W2890434219 cites W2620895032 @default.
• W2890434219 cites W2620946705 @default.
• W2890434219 cites W2762226429 @default.
• W2890434219 cites W2783112941 @default.
• W2890434219 cites W2794801050 @default.
• W2890434219 cites W4239813889 @default.
• W2890434219 cites W62185554 @default.
• W2890434219 doi "https://doi.org/10.1145/3243734.3243771" @default.
• W2890434219 hasPublicationYear "2018" @default.
• W2890434219 type Work @default.
• W2890434219 sameAs 2890434219 @default.
• W2890434219 citedByCount "29" @default.
• W2890434219 countsByYear W28904342192019 @default.
• W2890434219 countsByYear W28904342192020 @default.
• W2890434219 countsByYear W28904342192021 @default.
• W2890434219 countsByYear W28904342192022 @default.
• W2890434219 countsByYear W28904342192023 @default.
• W2890434219 crossrefType "proceedings-article" @default.
• W2890434219 hasAuthorship W2890434219A5003467063 @default.
• W2890434219 hasAuthorship W2890434219A5035259205 @default.
• W2890434219 hasAuthorship W2890434219A5054567629 @default.
• W2890434219 hasAuthorship W2890434219A5073257664 @default.
• W2890434219 hasAuthorship W2890434219A5076621366 @default.
• W2890434219 hasAuthorship W2890434219A5077716269 @default.
• W2890434219 hasAuthorship W2890434219A5088661712 @default.
• W2890434219 hasConcept C111919701 @default.
• W2890434219 hasConcept C134066672 @default.
• W2890434219 hasConcept C138885662 @default.
• W2890434219 hasConcept C158379750 @default.
• W2890434219 hasConcept C177264268 @default.
• W2890434219 hasConcept C199360897 @default.
• W2890434219 hasConcept C2776760102 @default.
• W2890434219 hasConcept C2777256151 @default.
• W2890434219 hasConcept C2779395397 @default.
• W2890434219 hasConcept C2779960059 @default.
• W2890434219 hasConcept C38652104 @default.
• W2890434219 hasConcept C40305131 @default.
• W2890434219 hasConcept C41008148 @default.
• W2890434219 hasConcept C41895202 @default.
• W2890434219 hasConcept C541664917 @default.
• W2890434219 hasConcept C84525096 @default.
• W2890434219 hasConceptScore W2890434219C111919701 @default.
• W2890434219 hasConceptScore W2890434219C134066672 @default.
• W2890434219 hasConceptScore W2890434219C138885662 @default.
• W2890434219 hasConceptScore W2890434219C158379750 @default.
• W2890434219 hasConceptScore W2890434219C177264268 @default.
• W2890434219 hasConceptScore W2890434219C199360897 @default.
• W2890434219 hasConceptScore W2890434219C2776760102 @default.
• W2890434219 hasConceptScore W2890434219C2777256151 @default.
• W2890434219 hasConceptScore W2890434219C2779395397 @default.
• W2890434219 hasConceptScore W2890434219C2779960059 @default.
• W2890434219 hasConceptScore W2890434219C38652104 @default.
• W2890434219 hasConceptScore W2890434219C40305131 @default.

• next