Graduation Semester and Year

2019

Language

English

Document Type

Thesis

Degree Name

Master of Science in Computer Science

Department

Computer Science and Engineering

First Advisor

Jiang Ming

Abstract

Most of the malware authors use Packers, to compress an executable file and attach a stub, to the file containing the code, to decompress it at runtime, which will turn a known piece of malware into something new, that known-malware scanners can't detect. The researchers are finding ways to unpack and find the original program from such packed binaries. However, the previous study of detection for unpacking in the packed malware using different approach won’t provide many promising results. This research explores a novel approach for the detection of the unpacking process using hardware performance counters. In this approach, the unpacking process is closely monitored with Hardware Performance Counters. The HPCs shows hot spot during the unpacking process. By performing the per-process filtration, HPCs show a close relation with the decompression algorithm. For this research, the analysis is performed on a bare-metal machine. The packed executable is profiled for hardware calls using Intel® VTune™ Amplifier.

Keywords

HPC, Malware analysis, Binary packing, Binary unpacking

Disciplines

Computer Sciences | Physical Sciences and Mathematics

Comments

Degree granted by The University of Texas at Arlington

28133-2.zip (713 kB)

Share

COinS
 
 

To view the content in your browser, please download Adobe Reader or, alternately,
you may Download the file to your hard drive.

NOTE: The latest versions of Adobe Reader do not support viewing PDF files within Firefox on Mac OS and if you are using a modern (Intel) Mac, there is no official plugin for viewing PDF files within the browser window.