ON THE FEASIBILITY OF MALWARE UNPACKING WITH HARDWARE PERFORMANCE COUNTERS
Abstract
Most of the malware authors use Packers, to compress an executable file and attach a stub, to the file containing the code, to decompress it at runtime, which will turn a known piece of malware into something new, that known-malware scanners can't detect. The researchers are finding ways to unpack and find the original program from such packed binaries. However, the previous study of detection for unpacking in the packed malware using different approach won’t provide many promising results.
This research explores a novel approach for the detection of the unpacking process using hardware performance counters. In this approach, the unpacking process is closely monitored with Hardware Performance Counters. The HPCs shows hot spot during the unpacking process. By performing the per-process filtration, HPCs show a close relation with the decompression algorithm. For this research, the analysis is performed on a bare-metal machine. The packed executable is profiled for hardware calls using Intel® VTune™ Amplifier.