A Study on API Wrapping in Themida and Unpacking Technique
![]() |
Lee, Jae-hwi
(Center for Information Security Technologies, Korea University)
Han, Jaehyeok (Center for Information Security Technologies, Korea University) Lee, Min-wook (Center for Information Security Technologies, Korea University) Choi, Jae-mun (Center for Information Security Technologies, Korea University) Baek, Hyunwoo (Center for Information Security Technologies, Korea University) Lee, Sang-jin (Center for Information Security Technologies, Korea University) |
1 |
Intel, "NOP-No Operation", Intel |
2 | Microsoft, "Section Table (Section Heade rs)", Microsoft PE and COFF Specification, Revision 8.3, pp. 26-32, Feb. 2013 (also see Microsoft PE and COFF Specification, https://msdn.microsoft.com/en-us/win dows/hardware/gg463119.aspx) |
3 | Microsoft, Microsoft MSDN: SYSTEM_I NFO structure (also see SYSTEM_INFO structure, https://msdn.microsoft.com/en-us/library/windows/desktop/ms724958(v=vs.85).aspx) |
4 | Yan, Wei, Zheng Zhang, and Nirwan Ansari, "Revealing packed malware", IEEE seCurity & PrivaCy, Vol. 6.5, pp. 65-69, Oct. 2008 |
5 | Oreans Technologies, Themida, Advanced Windows Software Protection System, Revision 2.4, May 2016 (also see Themida, http://www.oreans.com/themida.php) |
6 | Won Lae Lee and Hyoung Joong Kim, "A Study on Generic Unpacking using Entropy of Opcode Address", Journal of Digital Contents Society , Vol. 15, No. 3, pp. 373-380, Jun. 2014 DOI |
7 | Young-hoon Lee, et al. "A Study on Generic Unpacking using Entropy Variation Analysis", Journal of The Korea Institute of Information Security & Cryptology , Vol. 22, No. 2, pp. 179-188, Apr. 2012 |
8 | Guhyeon Jeong, et al. "Generic Unpacking using Entropy Analysis", Journal of The Korea Institute of Information Technology , Vol. 7, No. 1, pp. 232-238, Feb. 2009 |
9 | Ryoichi Isawa, Masaki Kamizono, and Daisuke Inoue, "Generic Unpacking method Based on Detecting Original Entry Point", ICONIP 2013 , Part I, LNCS 8226, pp. 593-600, 2013 |
10 | Boo Joong Kang, and Eul Gyu Im, "A Study on Anti-Debugging in Yoda's Protector", Journal of The Korea Institute of Communications and Information Sciences , pp. 1229-1232, Jul. 2007 |
11 | LCF-AT, "Themida+WinLicense 2.x (Un packing)", Jul. 2013 (also see https://tuts 4you.com/download.php?view.3495) |
12 | LCF-AT, "Themida+WinLicense 2.x (Ultra Unpacker v1.4)", Jan. 2014 (also see https://tuts4you.com/download.php?view.3526) |
13 | CriticalError, "How Unpack Themida 2.x. x (WXP)", Jun. 2015 (also see http://zenh ax.com/viewtopic.php?t=1051) |
14 | Matt Pietrek, Microsoft, "Peering Inside the PE: A Tour of the Win32 Portable Exec utable File Format", Mar. 1994 (also see https://msdn.microsoft.com/en-us/libr ary/ms809762.aspx) |
15 | Microsoft, Microsoft PE and COFF Specifi cation, Revision 8.3, Feb. 2013 (also see Microsoft PE and COFF Specification, https://msdn.microsoft.com/en-us/windows/hardware/gg463119.aspx) |
16 | Microsoft, Microsoft Portable Executable and Common Object File Format Specification, Revision 8.2, Sep. 2010 (also see Understanding the Import Address Table, http://sandsprite.com/CodeStuff/Un derstanding_imports.html) |
17 | Mark Russinovich, David A. Solomon, and Alex Ionescu, "Image Loader", Windows Internals Part 1, Sixth Edition, pp. 232-247, Microsoft press, 2012 |
18 | Microsoft, Microsoft MSDN: NtAllocateV irtualMemory (also see NtAllocateVirtua lMemory, https://msdn.microsoft.com/e n-us/library/windows/hardware/ff556440(v=vs.85).aspx) |
![]() |