Browse > Article
http://dx.doi.org/10.13089/JKIISC.2017.27.1.67

A Study on API Wrapping in Themida and Unpacking Technique  

Lee, Jae-hwi (Center for Information Security Technologies, Korea University)
Han, Jaehyeok (Center for Information Security Technologies, Korea University)
Lee, Min-wook (Center for Information Security Technologies, Korea University)
Choi, Jae-mun (Center for Information Security Technologies, Korea University)
Baek, Hyunwoo (Center for Information Security Technologies, Korea University)
Lee, Sang-jin (Center for Information Security Technologies, Korea University)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.27, no.1, 2017 , pp. 67-77 More about this Journal
Abstract
A protector is a software for protecting core technologies by using compression and encryption. Nowadays malwares use the protector to conceal the malicious code from the analysis. For detailed analysis of packed program, unpacking the protector is a necessary procedure. Lately, most studies focused on finding OEP to unpack the program. However, in this case, it would be difficult to analyze the program because of the limits to remove protecting functions by finding OEP. In this paper, we studied about the protecting functions in the Themida and propose an unpacking technique for it.
Keywords
Themida; API wrapping; Unpacking;
Citations & Related Records
Times Cited By KSCI : 2  (Citation Analysis)
연도 인용수 순위
1 Intel, "NOP-No Operation", Intel$^{(R)}$ 64 and IA-32 architectures software developer's manual volume 2B: Instruction set refere nce, M-U, pp. 163, Jun. 2016 (also see Intel$^{(R)}$ 64 and IA-32 Architectures Softwa re Developer Manuals, http://www.inte l.com/content/www/us/en/processors/a rchitectures-software-developer-manu als.html)
2 Microsoft, "Section Table (Section Heade rs)", Microsoft PE and COFF Specification, Revision 8.3, pp. 26-32, Feb. 2013 (also see Microsoft PE and COFF Specification, https://msdn.microsoft.com/en-us/win dows/hardware/gg463119.aspx)
3 Microsoft, Microsoft MSDN: SYSTEM_I NFO structure (also see SYSTEM_INFO structure, https://msdn.microsoft.com/en-us/library/windows/desktop/ms724958(v=vs.85).aspx)
4 Yan, Wei, Zheng Zhang, and Nirwan Ansari, "Revealing packed malware", IEEE seCurity & PrivaCy, Vol. 6.5, pp. 65-69, Oct. 2008
5 Oreans Technologies, Themida, Advanced Windows Software Protection System, Revision 2.4, May 2016 (also see Themida, http://www.oreans.com/themida.php)
6 Won Lae Lee and Hyoung Joong Kim, "A Study on Generic Unpacking using Entropy of Opcode Address", Journal of Digital Contents Society , Vol. 15, No. 3, pp. 373-380, Jun. 2014   DOI
7 Young-hoon Lee, et al. "A Study on Generic Unpacking using Entropy Variation Analysis", Journal of The Korea Institute of Information Security & Cryptology , Vol. 22, No. 2, pp. 179-188, Apr. 2012
8 Guhyeon Jeong, et al. "Generic Unpacking using Entropy Analysis", Journal of The Korea Institute of Information Technology , Vol. 7, No. 1, pp. 232-238, Feb. 2009
9 Ryoichi Isawa, Masaki Kamizono, and Daisuke Inoue, "Generic Unpacking method Based on Detecting Original Entry Point", ICONIP 2013 , Part I, LNCS 8226, pp. 593-600, 2013
10 Boo Joong Kang, and Eul Gyu Im, "A Study on Anti-Debugging in Yoda's Protector", Journal of The Korea Institute of Communications and Information Sciences , pp. 1229-1232, Jul. 2007
11 LCF-AT, "Themida+WinLicense 2.x (Un packing)", Jul. 2013 (also see https://tuts 4you.com/download.php?view.3495)
12 LCF-AT, "Themida+WinLicense 2.x (Ultra Unpacker v1.4)", Jan. 2014 (also see https://tuts4you.com/download.php?view.3526)
13 CriticalError, "How Unpack Themida 2.x. x (WXP)", Jun. 2015 (also see http://zenh ax.com/viewtopic.php?t=1051)
14 Matt Pietrek, Microsoft, "Peering Inside the PE: A Tour of the Win32 Portable Exec utable File Format", Mar. 1994 (also see https://msdn.microsoft.com/en-us/libr ary/ms809762.aspx)
15 Microsoft, Microsoft PE and COFF Specifi cation, Revision 8.3, Feb. 2013 (also see Microsoft PE and COFF Specification, https://msdn.microsoft.com/en-us/windows/hardware/gg463119.aspx)
16 Microsoft, Microsoft Portable Executable and Common Object File Format Specification, Revision 8.2, Sep. 2010 (also see Understanding the Import Address Table, http://sandsprite.com/CodeStuff/Un derstanding_imports.html)
17 Mark Russinovich, David A. Solomon, and Alex Ionescu, "Image Loader", Windows Internals Part 1, Sixth Edition, pp. 232-247, Microsoft press, 2012
18 Microsoft, Microsoft MSDN: NtAllocateV irtualMemory (also see NtAllocateVirtua lMemory, https://msdn.microsoft.com/e n-us/library/windows/hardware/ff556440(v=vs.85).aspx)