Detailed Information

Cited 0 time in webofscience Cited 0 time in scopus
Metadata Downloads

UnSafengine64: A Safengine Unpacker for 64-Bit Windows Environments and Detailed Analysis Results on Safengine 2.4.0open access

Authors
Choi, SeokwooChang, TaejooPark, Yongsu
Issue Date
Feb-2024
Publisher
Multidisciplinary Digital Publishing Institute (MDPI)
Keywords
anti-forensics; code obfuscation; computer security; dynamic code analysis; software reverse engineering
Citation
Sensors, v.24, no.3, pp 1 - 21
Pages
21
Indexed
SCIE
SCOPUS
Journal Title
Sensors
Volume
24
Number
3
Start Page
1
End Page
21
URI
https://scholarworks.bwise.kr/hanyang/handle/2021.sw.hanyang/196337
DOI
10.3390/s24030840
ISSN
1424-8220
1424-8220
Abstract
Despite recent remarkable advances in binary code analysis, malware developers still use complex anti-reversing techniques that make analysis difficult. Packers are used to protect malware, which are (commercial) tools that contain diverse anti-reversing techniques, including code encryption, anti-debugging, and code virtualization. In this study, we present UnSafengine64: a Safengine unpacker for 64-bit Windows. UnSafengine64 can correctly unpack packed executables using Safengine, which is considered one of the most complex commercial packers in Windows environments; to the best of our knowledge, there have been no published analysis results. UnSafengine64 was developed as a plug-in for Pin, which is one of the most widely used dynamic analysis tools for Microsoft Windows. In addition, we utilized Detect It Easy (DIE), IDA Pro, x64Dbg, and x64Unpack as auxiliary tools for deep analysis. Using UnSafengine64, we can analyze obfuscated calls for major application programming interface (API) functions or conduct fine-grained analyses at the instruction level. Furthermore, UnSafengine64 detects anti-debugging code chunks, captures a memory dump of the target process, and unpacks packed files. To verify the effectiveness of our scheme, experiments were conducted using Safengine 2.4.0. The experimental results show that UnSafengine64 correctly executes packed executable files and successfully produces an unpacked version. Based on this, we provided detailed analysis results for the obfuscated executable file generated using Safengine 2.4.0.
Files in This Item
Appears in
Collections
서울 공과대학 > 서울 컴퓨터소프트웨어학부 > 1. Journal Articles

qrcode

Items in ScholarWorks are protected by copyright, with all rights reserved, unless otherwise indicated.

Related Researcher

Researcher Park, Yong su photo

Park, Yong su
COLLEGE OF ENGINEERING (SCHOOL OF COMPUTER SCIENCE)
Read more

Altmetrics

Total Views & Downloads

BROWSE