Unpacking Virtualization Obfuscators

Date Added: May 2009
Format: PDF

Nearly every malware sample is sheathed in an executable protection which must be removed before static analyzes can proceed. Existing research has studied automatically unpacking certain protections, but has not yet caught up with many modern techniques. Contrary to prior assumptions, protected programs do not always have the property that they are reverted to a fully unprotected state at some point during the course of their execution. This paper provides a novel technique for circumventing one of the most problematic features of modern software protections, so-called virtualization obfuscation. The technique enables analysis of heretofore impenetrable malware.