Mal-Flux: Rendering hidden code of packed binary executable

Charles Lim; Kalamullah Ramli; Yohanes Syailendra Kotualubun

doi:10.1016/j.diin.2019.01.004

Mal-Flux: Rendering hidden code of packed binary executable

Charles Lim, Suryadi, Kalamullah Ramli, Yohanes Syailendra Kotualubun

Research output: Contribution to journal › Article › peer-review

5 Citations (Scopus)

Abstract

A binary packer has commonly been used to protect the original code inside the binary executables from being detected as malicious code by anti-malware software. Various methods of unpacking packed binary executables have been extensively studied, and several unpacking approaches have been proposed. Some of these solutions depend on various assumptions, which may limit their effectiveness. Here, a new method of memory analysis technique, called Mal-Flux, is proposed to determine the end of unpacking routine to allow hidden code extraction from the packed binary executables. Our experiments show that our method provides better performance than previous works in extracting the hidden-code from the packed binary executables.

Original language	English
Pages (from-to)	83-95
Number of pages	13
Journal	Digital Investigation
Volume	28
DOIs	https://doi.org/10.1016/j.diin.2019.01.004
Publication status	Published - Mar 2019

Keywords

Binary packer
Malicious code
Malware
Memory analysis

Access to Document

10.1016/j.diin.2019.01.004

Cite this

@article{e25e9f8b57c54a54b7ec14a69d72dc64,

title = "Mal-Flux: Rendering hidden code of packed binary executable",

abstract = "A binary packer has commonly been used to protect the original code inside the binary executables from being detected as malicious code by anti-malware software. Various methods of unpacking packed binary executables have been extensively studied, and several unpacking approaches have been proposed. Some of these solutions depend on various assumptions, which may limit their effectiveness. Here, a new method of memory analysis technique, called Mal-Flux, is proposed to determine the end of unpacking routine to allow hidden code extraction from the packed binary executables. Our experiments show that our method provides better performance than previous works in extracting the hidden-code from the packed binary executables.",

keywords = "Binary packer, Malicious code, Malware, Memory analysis",

author = "Charles Lim and Suryadi and Kalamullah Ramli and Kotualubun, {Yohanes Syailendra}",

note = "Funding Information: We would like to thank Honeynet Project and VirusTotal for providing various malware family samples used in our research. This articles publication is supported by the United States Agency for International Development (USAID) through the Sustainable Higher Education Research Alliance (SHERA) Program for the Universitas Indonesias Scientific Modeling, Application, Research, and Training for City-centered Innovation and Technology (SMART CITY) Project, Grant # AID-497-A-1600004 , Sub-grant #IIE-00000078-UI-1 . Publisher Copyright: {\textcopyright} 2019 Elsevier Ltd",

year = "2019",

month = mar,

doi = "10.1016/j.diin.2019.01.004",

language = "English",

volume = "28",

pages = "83--95",

journal = "Digital Investigation",

issn = "1742-2876",

publisher = "Elsevier Ltd",

}

TY - JOUR

T1 - Mal-Flux

T2 - Rendering hidden code of packed binary executable

AU - Lim, Charles

AU - Suryadi,

AU - Ramli, Kalamullah

AU - Kotualubun, Yohanes Syailendra

N1 - Funding Information: We would like to thank Honeynet Project and VirusTotal for providing various malware family samples used in our research. This articles publication is supported by the United States Agency for International Development (USAID) through the Sustainable Higher Education Research Alliance (SHERA) Program for the Universitas Indonesias Scientific Modeling, Application, Research, and Training for City-centered Innovation and Technology (SMART CITY) Project, Grant # AID-497-A-1600004 , Sub-grant #IIE-00000078-UI-1 . Publisher Copyright: © 2019 Elsevier Ltd

PY - 2019/3

Y1 - 2019/3

N2 - A binary packer has commonly been used to protect the original code inside the binary executables from being detected as malicious code by anti-malware software. Various methods of unpacking packed binary executables have been extensively studied, and several unpacking approaches have been proposed. Some of these solutions depend on various assumptions, which may limit their effectiveness. Here, a new method of memory analysis technique, called Mal-Flux, is proposed to determine the end of unpacking routine to allow hidden code extraction from the packed binary executables. Our experiments show that our method provides better performance than previous works in extracting the hidden-code from the packed binary executables.

AB - A binary packer has commonly been used to protect the original code inside the binary executables from being detected as malicious code by anti-malware software. Various methods of unpacking packed binary executables have been extensively studied, and several unpacking approaches have been proposed. Some of these solutions depend on various assumptions, which may limit their effectiveness. Here, a new method of memory analysis technique, called Mal-Flux, is proposed to determine the end of unpacking routine to allow hidden code extraction from the packed binary executables. Our experiments show that our method provides better performance than previous works in extracting the hidden-code from the packed binary executables.

KW - Binary packer

KW - Malicious code

KW - Malware

KW - Memory analysis

UR - http://www.scopus.com/inward/record.url?scp=85060340450&partnerID=8YFLogxK

U2 - 10.1016/j.diin.2019.01.004

DO - 10.1016/j.diin.2019.01.004

M3 - Article

AN - SCOPUS:85060340450

SN - 1742-2876

VL - 28

SP - 83

EP - 95

JO - Digital Investigation

JF - Digital Investigation

ER -

Mal-Flux: Rendering hidden code of packed binary executable

Abstract

Keywords

Access to Document

Other files and links

Fingerprint

Cite this