Pinicorn: Towards Automated Dynamic Analysis for Unpacking 32-Bit PE Malwareopen access
- Authors
- Lee, Gwangyeol; Kim, Minho; Yi, Jeong Hyun; Cho, Haehyun
- Issue Date
- Jun-2024
- Publisher
- MDPI
- Keywords
- OEP obfuscation; API obfuscation; deobfuscation; unpacking; malware analysis
- Citation
- ELECTRONICS, v.13, no.11
- Journal Title
- ELECTRONICS
- Volume
- 13
- Number
- 11
- URI
- https://scholarworks.bwise.kr/ssu/handle/2018.sw.ssu/49767
- DOI
- 10.3390/electronics13112081
- ISSN
- 2079-9292
2079-9292
- Abstract
- Original Entry Point (OEP) and API obfuscation techniques greatly hinder the analysis of malware. Contemporary packers, employing these sophisticated obfuscation strategies, continue to pose unresolved challenges, despite extensive research efforts. Recent studies, like API-Xray, have mainly concentrated on rebuilding obfuscated import tables in malware, but research into OEP obfuscation is still limited. As a solution, we present Pinicorn, an automated dynamic de-obfuscation system designed to tackle these complexities. Pinicorn bypasses packers' anti-analysis techniques and retrieves the original program from memory. It is specifically designed to detect and analyze trampoline codes within both OEP and the import table. Our evaluation shows that Pinicorn successfully deobfuscates programs hidden by three different packers, confirming its effectiveness through a comparative analysis with their original versions. Furthermore, we conducted experiments on malware obfuscated by Themida and VMProtect, analyzing the obfuscation techniques and successfully de-obfuscating them to validate the effectiveness of our approach.
- Files in This Item
-
Go to Link
- Appears in
Collections - College of Information Technology > School of Software > 1. Journal Articles
![qrcode](https://api.qrserver.com/v1/create-qr-code/?size=55x55&data=https://scholarworks.bwise.kr/ssu/handle/2018.sw.ssu/49767)
Items in ScholarWorks are protected by copyright, with all rights reserved, unless otherwise indicated.