Abstract
Malware authors often use binary packers to hinder the malicious code from reverse-engineered by malware analyst. There have been many studies done on providing different approaches on unpacking the packed binary executable. Our previous works have successfully relied on the written memory section size as an indicator to extract hidden-code during the unpacking process. This paper enhances our previous work by locating executed instruction in the written memory section to provide a more precise memory location in extracting hidden code from the packed binary executable. The result of our experiments exhibits higher similarity result for all packers and benign applications compared to our previous works.
Export citation and abstract BibTeX RIS
Content from this work may be used under the terms of the Creative Commons Attribution 3.0 licence. Any further distribution of this work must maintain attribution to the author(s) and the title of the work, journal citation and DOI.