Renovo: A Hidden Code Extractor for Packed Executables
[Overview] [Publications] [Back to BitBlaze]

Overview

As reverse engineering becomes a prevalent technique to analyze malware, malware writers leverage various anti-reverse engineering techniques to hide their code. One technique commonly used is code packing as packed executables hinder code analysis. While this problem has been previously researched, the existing solutions are either unable to handle novel samples, or vulnerable to various evasion techniques. Renovo is a fully dynamic approach that captures an intrinsic nature of hidden code execution that the original code should be present in memory and executed at some point at run-time. Thus, it monitors program execution and memory writes at run-time, determines if the code under execution is newly generated, and then extracts the hidden code of the executable.

Publications

Renovo: A Hidden Code Extractor for Packed Executables.
Min Gyung Kang, Pongsin Poosankam, and Heng Yin. In Proceedings of the 5th ACM Workshop on Recurring Malcode (WORM), October 2007.

Back to BitBlaze