Browse > Article
http://dx.doi.org/10.9728/dcs.2014.15.3.373

A Study on Generic Unpacking using Entropy of Opcode Address  

Lee, Won Lae (고려대학교 정보보호대학원)
Kim, Hyoung Joong (고려대학교 정보보호대학원)
Publication Information
Journal of Digital Contents Society / v.15, no.3, 2014 , pp. 373-380 More about this Journal
Abstract
Malicious codes uses generic unpacking technique to make it hard for analyzers to detect their programs. Recently their has been several researches about generic packet to prevent or detect these techniques. And they try to focus on the codes that repeats while generic packing is doing compression because generic packing technique executes after it is decompressed. And they try to focus on the codes that repeats while generic packing is doing compression because generic packing technique executes after it is decompressed. Therefore, this makes a interesting performance which shows a similar address value from the codes which are repeated several times what is different from the normal program codes. By dividing these codes into regularly separated areas we can find that the generic unpacking codes have a small entropy value compared to normal codes. Using this method, it is possible to identify any program if it is a generic unpacking code or not even though we do not know what kind of algorithm it uses. This paper suggests a way of disarming the generic codes by using the low value entropy value which comes out from the Opcode addresses when generic unpacking codes try to decompress.
Keywords
Entropy; Generic Unpacking; Malware; Packing;
Citations & Related Records
Times Cited By KSCI : 2  (Citation Analysis)
연도 인용수 순위
1 GuHyeon Jeong, Euijin Choo, Joosuk Lee and Heejo Lee, "Generic Unpacking Using Entropy Analysis", JKIIT, Vol.7, No.2, pp.232-238, Feb 2009
2 Daniel A. Quist and Lorie M. Liebrock. Reversing compiled executables for malware analysis via visualization, Information Visualization. 10(2), April 2011. (doi:10.1057/ivs.2010.11)
3 YH Lee, MH Jeong, HC Jeong, TS Son, JS Moon "A Study on Generic Unpacking using Entropy Variation Analysis", JKIIT, Vol.22, No.2, pp. 179-188, April 2012
4 Kullback, S. "Letter to the Editor: The Kullback-Leibler distance". The American Statistician 41 (4): 340?341. JSTOR 2684769. 1987
5 information gain http://en.wikipedia.org/wiki/Information_gain_in_decision_trees
6 pintool http://software.intel.com/en-us/articles/pin-a-dynamic-binary-instrumentation-tool
7 Visual C++ 10, http://www.microsoft.com
8 AV-Test. http://www.av-test.org
9 Ho Young Whang, Hyoung Joong Kim, "Reversible Watermarking for Audio Using Recompression Met hod", Journal of Digital Contents Society, vol. 14, no. 2, pp. 199-206, Jun. 2013   DOI   ScienceOn
10 Robert Lyda and James Hamrock, "Using entropy analysis to find encrypted and packed malware", Security & Privacy IEEE, vol. 5, no. 2, pp. 40-45, Mar. 2007
11 Min Gyung Kang, Pongsin Poosankam, and Heng Yin. "Renovo: A Hidden Code Extractor for Packed Executables," In Proceedings of the 5th ACM Work shop on Recurring Malcode (WORM"07), pp 46-53. Nov. 2007
12 C.E. Shannon and W. Weaver, The Mathematical Theoryof Communication, Univ. of Illinois Press, 1963