Generic unpacking of applications for malware detection

摘要

A technique for detecting malware in an executable allows unpacking of a packed executable before determining whether the executable is malware. In systems with hardware assisted virtualization, hardware virtualization features may be used to iteratively unpack a packed executable in a controlled manner without needing knowledge of a packing technique. Once the executable is completely unpacked, malware detection techniques, such as signature scanning, may be employed to determine whether the executable contains malware. Hardware assisted virtualization may be used to facilitate the scanning of the run-time executable in memory.

主权项

1. A non-transitory computer-readable medium comprising instructions stored thereon that when executed cause one or more processing units to:
load a self-extracting executable into memory, the self-extracting executable comprising a first unpacking stub and a packed executable; allow the first unpacking stub to unpack the packed executable into an unpacked executable; detect an attempt to write to a memory page in which code was previously executed, by controlling memory page access permissions using hardware assisted virtualization; detect an attempt to execute code that was previously written into a memory page by the first unpacking stub, by controlling the memory page access permissions using the hardware assisted virtualization; detect completion of unpacking the packed executable by the first unpacking stub using one or more heuristics; and scan the unpacked executable for malware, wherein the one or more heuristics comprise:
comparing a stack pointer value and stack contents recorded prior to detecting completion of the first unpacking stub with a stack pointer value and stack contents recorded prior to allowing the first unpacking stub to begin unpacking the packed executable.