Renovo: A Hidden Code Extractor for Packed Executables
[Overview] [Publications] [Back to BitBlaze]
As reverse engineering becomes a prevalent technique to analyze malware, malware writers leverage various anti-reverse engineering techniques to hide their code. One technique commonly used is code packing as packed executables hinder code analysis. While this problem has been previously researched, the existing solutions are either unable to handle novel samples, or vulnerable to various evasion techniques. Renovo is a fully dynamic approach that captures an intrinsic nature of hidden code execution that the original code should be present in memory and executed at some point at run-time. Thus, it monitors program execution and memory writes at run-time, determines if the code under execution is newly generated, and then extracts the hidden code of the executable.
Back to BitBlaze