Project Management

A Museum of API Obfuscation on Win32

Download Now Free registration required

Executive Summary

Antivirus software vendors attempt to identify threats by unpacking suspicious samples and hence aim to produce as many unpackers as possible. When characteristic portions of a successfully unpacked sample are identified, the sample can be tagged and detection added. This procedure is commonly used for variants of well-known malware families and does not require the analysis of Windows API calls made by the sample. In contrast, in-depth analysis of packed threats requires the knowledge of the API functions called during execution. When a sample cannot be unpacked, memory dumps may be used to provide insight into its behavior.

  • Format: PDF
  • Size: 1328.2 KB