Precise system-wide concatic malware unpacking
David Korczynski
[email protected]
Department of Computer Science
University of Oxford
ABSTRACT
Run time packing is a common approach malware use to obfus-
cate their payloads, and automatic unpacking is, therefore, highly
relevant. The problem has received much attention, and so far,
arXiv:1908.09204v1 [cs.CR] 24 Aug 2019
solutions based on dynamic analysis have been the most successful.
Nevertheless, existing solutions lack in several areas, both concep-
tually and architecturally, because they focus on a limited part of
the unpacking problem. These limitations significantly impact their
applicability, and current unpackers have, therefore, experienced
limited adoption.
In this paper, we introduce a new tool, called Minerva, for ef-
fective automatic unpacking of malware samples. Minerva intro-
duces a unified approach to precisely uncover execution waves in a
packed malware sample and produce PE files that are well-suited for
follow-up static analysis. At the core, Minerva deploys a novel in-
formation flow model of system-wide dynamically generated code,
precise collection of API calls and a new approach for merging
execution waves and API calls. Together, these novelties amplify
the generality and precision of automatic unpacking and make the
output of Minerva highly usable. We extensively evaluate Minerva
against synthetic and real-world malware samples and show that
our techniques significantly improve on several aspects compared
to previous work.
KEYWORDS
Malware analysis, Malware unpacking, Reverse engineering, Pro-
gram analysis
1 INTRODUCTION
Conceptually, run time packers encode a binary with obfuscation
techniques such as compression and encryption to harden analy-
sis of their code. This hardening significantly increases the effort
needed to reverse engineer a given sample, whether manually or
automatically, because it requires inverting the anti-analysis tech-
niques used by the packer to understand the full capabilities of the
malware. Run time packing is a highly effective anti-analysis tech-
nique, and estimates show more than 80% of malware samples come
packed [15]. The combination of needing to unpack samples before
proper analysis is feasible, and that most malware samples come
packed makes it desirable to develop approaches that automatically
unpack malware.
Techniques and tools for automatic unpacking malware have
received a lot of attention in the literature [10, 17, 22, 23, 28, 29, 33,
42]. Despite this large amount of research, the vast amounts of work
rely on the same core principle, the “write-then-execute” heuristic.
This heuristic deploys the key observation that in order to execute
the encrypted code, it first must be decrypted and, therefore, be
dynamically generated. The most common approach by previous
work is, therefore, to execute a given sample, monitor all memory
writes made by the malware, and whenever dynamically written
memory executes, the unpacker identifies this memory as decrypted.
The tools then dump this specific memory to enable follow-up
inspection.
There are two main limitations to the approach of existing work.
First, the “write-then-execute” heuristic is not well-suited for pack-
ers that perform system-wide unpacking. This is because the heuris-
tic only captures code that is dynamically generated explicitly by the
malware and not malicious code that is dynamically generated via
benign code which, unfortunately, is frequently the case in multi-
process unpacking. Consequently, existing unpackers are mainly
suitable for single-process malware and new approaches to capture
system-wide malware unpacking are needed. Second, the primary
output of existing work is memory dumps or naively constructed
PE files of the dynamically generated code. The output lacks struc-
ture, is often an unreasonable over- or under-approximation of the
actual malware code, and many obfuscation techniques from the
packing process, e.g. obfuscation of external dependencies, remain
in the output. As such, the analysis that follows must overcome
these obfuscation techniques to enable meaningful analysis of the
code. This is a problem because the purpose of unpacking is to
facilitate follow-up analysis and not to give any conclusive answer
about the malware itself.
The limitations described above reoccur in existing work, and
we argue that an essential reason for this is because existing work
widely uses the same set of benchmark applications to validate
their solutions. These benchmark applications consist of packers
that are out-dated and built more than a decade ago. Consequently,
the empirical assessment of novel tools occur with old, and often
similar, techniques that do not accurately reflect the challenges
posed by modern-day malware packers. To ensure that our novel
tools are relevant, we need new benchmark applications that can
be used for profiling novel unpackers. These benchmarks must
explore corner-cases of modern packing techniques and be easily
accessible to anti-malware researchers.
The goal of this paper is to develop techniques that overcome the
limitations of existing work highlighted above. We present a unified
approach to precisely unpack malware samples with system-wide
execution, dynamically generated code, custom IAT loading and
API call obfuscations. The aim is to provide unpacked code that is
well-suited for follow-up analysis via manual reverse engineering
or off-the-shelf static analysis tools. To this end, Minerva deploys a
combination of dynamic and static analysis to amplify the effective-
ness of automatic unpacking. The novel techniques presented in
Minerva rely on information flow, which makes it highly precise
and capable of unpacking malware samples in a system-wide con-
text. Minerva models execution waves on a per-process basis and
each process with malware execution operate within the context of
a single execution wave at any given moment. This provides for a
clear wave model and implementation but may result in duplicate
content amongst waves, for example, when execution waves use
code from an earlier execution wave.
Minerva takes as input a 32-bit Windows binary and outputs at
least one Portable Executable (PE) file per execution wave. This
has the benefit of mostly independent PE files but also means the
duplicate content of multiple waves will exist in multiple PE files.
In order to produce output that is useful for follow-up analysis,
Minerva captures how the malware uses external dependencies
throughout the entire execution and maps this to each execution
wave, resulting in PE files with valid import address tables and
patched API calls. Finally, Minerva also performs static analysis
to identify relevant malware code within each execution wave. In
addition to our unpacker, we also propose a new benchmark suite
with applications that combine code-injection techniques, dynami-
cally generated code and obfuscation of external dependencies to
overcome the limitations of empirical evaluation in existing work.
We demonstrate our unpacker empirically against synthetic and
real-world malware samples.
Our main contributions of this paper are as follows.
• We present a novel approach that combines dynamic and
static analysis techniques to unpack malware that executes
across the entire system automatically. The approach fo-
cuses on precise analysis and outputs unpacked samples
that are well-suited for follow-up static analysis.
• We present a new benchmark suite with samples exploring
modern-day packing behaviours. To the knowledge of the
author, this is the first benchmark suite that comprises
synthetic applications aimed at evaluating unpackers.
• We implement the techniques into Minerva and present
an extensive empirical evaluation based on synthetic ap-
plications and real-world malware samples.
2 BACKGROUND, MOTIVATION AND
OVERVIEW
Packing is an umbrella term that refers to a set of various concrete
obfuscation techniques and there is no clear definition on the spe-
cific obfuscation techniques it encapsulates. This section clarifies
the obfuscation techniques we treat in this paper and the limitations
of existing work that motivate us. In total, we have compiled six
core limitations across two general obfuscation techniques.
2.1 Dynamically generated code
The obfuscation technique that is most commonly associated with
packing is dynamically generated code. In its simplest terms, dy-
namically generated code is when an application writes memory
at run time and then proceeds to execute this memory. Most often
malware does this by containing encrypted code inside its binary
image and decrypting this at run time in order to execute it. Ex-
isting automated unpackers identify dynamically generated code
with the write-then-execute heuristic. This heuristic partitions the
malware execution into a set of layers L0 , L1 , . . . Ln such that each
layer constitutes dynamically generated code. Layer L0 represents
the instructions of the binary malware image when first loaded into
memory and Li+1 represents the instructions executed on memory
2
written by the instructions in layer Li .
Limitation 1.1: the write-then-execute heuristic is unable
to capture dynamically generated malicious code via benign
code. The strict relationship that instructions of one layer must be
dynamically generated explicitly by instructions from a previous
layer severely limits the generality of existing work. Malware that
uses benign code to dynamically generate its malicious code go
unnoticed by this model. The implications of this limitation are
substantial for capturing dynamically generated code across mul-
tiple processes by way of code-reuse attacks or OS-provided APIs
since it is not the instructions of the malicious code that does the
writing of memory. Rather, it is benign code that is manipulated by
the malware into writing dynamically generated malicious code.
Limitation 1.2: existing work unreasonably approximate
relevant dynamically generated memory. Whenever an un-
packer observes dynamically generated code it outputs the code for
follow-up analysis. To do this, the unpacker must have a definition
of what parts of dynamically generated memory are relevant to the
unpacked code. This is because not all memory that is dynamically
generated, e.g. the stack, is relevant for the unpacked output. How-
ever, this step of identifying relevant memory is highly overlooked
by previous work. For example, neither Renovo [23] nor EtherUn-
pack [10] clearly describe the specific memory they extract during
unpacking, and Mutant-X [17] dumps the entire memory image of
a process when observing dynamically generated code. These are
unreasonably imprecise and leave follow-up analysis with the task
of identifying a needle in a haystack.
Limitation 1.3: existing work output raw memory scat-
tered across many memory dumps. The majority of existing
unpackers [6, 10, 23, 42] make little effort to output the unpacked
code in a coherent data structure but rather output the unpacked
malware in the shape of raw memory dumps. The problem is that
when malware dynamically generates code, this may be scattered
across several regions, and some of these may also be data-only
sections. A precise unpacker should not output incoherent raw
memory regions, but rather a suitable data structure that combines
these memory regions in an appropriate manner, e.g. re-basing
where needed, that enables meaningful follow-up analysis.
2.2 Obfuscating external dependencies
The way malware interacts with its environment is significant to
understanding its malicious activities. We capture this understand-
ing by analysing how the malware uses the OS via API calls and
system calls, and these are, therefore, natural obfuscation targets
for malware.
Limitation 2.1: existing unpackers fail to accurately corre-
late API calls to malicious code. There is often a large portion of
dynamically generated code that must be covered when analysing
packed malware. To quickly navigate towards relevant parts, we
rely on the malware’s use of APIs. However, existing unpackers
fail to accurately correlate API calls within a process to the packed
code, or even, more generally, attribute whether a given API call
was performed by malicious or benign code. Consequently, they
report unreasonable estimates of API-usage by the malware.
In order to circumvent this limitation, the unpacker needs to
maintain knowledge of which code belongs to the malware and also
be able to identify the instruction responsible for a given API call.
From an engineering point of view, most unpackers will be able to
augment their systems with solutions to these problems with a mod-
est implementation effort. However, fundamentally, this limitation
is guarded by the ability to correctly identify what code belongs
to the packed malware, which is closely related to Limitation 1.1 (a) Traditional unpacker, from [42]
and Limitation 1.2. We identify it here because it is an essential
feature in terms of understanding how the unpacked malware code
uses external dependencies and something that current unpackers
do not support. For example, when the unpacker from Ugarte et
al. is matched with a sample1 from the Tinba malware family that
creates one layer of dynamically generated code before injecting
code into the Windows process winver.exe, the unpacker reports
that the dynamically generated code performs 1666 API calls from
more than 350 different API functions. This result far exceeds the
correct count, which is fourteen API calls from ten different API
functions.
(b) Minerva
Limitation 2.2: output from existing unpackers do not
show API-usage when faced with custom API-call resolu-
tion. There is an intricate relationship between dynamically gen- Figure 1: The output of unpackers when being matched with
erated code and API call obfuscation. In regular PE binaries, the API calls that are obfuscated with custom API resolution
import address table (IAT) specify the external modules the given and that branch via a temporal register value.
application uses. At run time, the operating system linker uses this
IAT to load these modules and resolve the addresses of the specific
functions the binary imports. However, packed code minimises
the IAT to hide how it uses external dependencies, and, instead of
using the regular OS linker, the packer deploys a custom linker to
resolve its imports.
Custom API resolution can happen at any moment(s) during
execution and memory dumps taken by existing unpackers are,
therefore, susceptible to occur when the malware is yet to resolve
its external dependencies. Unfortunately, it is rare that API res-
olution has occurred the moment dynamically generated code is
observed, which is precisely when existing work dumps the memory (a) Traditional unpacker
[6, 10, 23]. Figure 1 shows the differences of matching a traditional
unpacker (Figure 1a) with a sample that has custom API resolution
and matching the same sample with an unpacker that accurately
captures API-usage in unpacked code (Figure 1b), in this case, a
result of Minerva. It is clear that without knowledge of the API
calls it is hopeless to determine the activities of the code, whereas
it is clear from the Minerva-generated code.

Limitation 2.3: existing unpackers are unable to identify

obfuscated API calls. Orthogonal to the resolution of API calls,
some packed malware samples will go a step further and directly
obfuscate the way they call external APIs. In general, there are
many ways for malware to obfuscate API calls. In Figure 1a, we see
that the raw calls from Tinba depend on the value of EBX, which
(b) Minerva
Figure 2: The output of unpackers when being matched with
an API obfuscation from the PEtite packer.

1 sha256 078a122a9401dd47a61369ac769d9e707d9e86bdf7ad91708510b9a4584e8d4
3
 Malware
sample
Full system
recording
Taint analysis
Replay
Malware Tracing analysis
Wave collector
API hooks
Disassembler
Static
IAT builder analysis
PE builder
Binary patcher
PE files
Figure 3: Architecture of Minerva’s automatic unpacker.
in this case contains the base-offset of a custom IAT by the mal-
ware. Furthermore, Figure 2 shows an example from an application
packed with the PEtite2 packer where the code calls a Windows
API function by pushing a value on top of the stack, rotating that
value and then transferring execution via a ret instruction to the
rotated value on top of the stack.
The output of existing unpackers is not capable of resolving ob-
fuscated API calls in the unpacked code. This is a problem because
it is much harder and sometimes impossible, to determine the desti-
nation of the branch instructions in follow-up analysis than it is for
the unpacker. For example, without knowledge about the contents
of EBX, the data at the address being read and the process layout,
it is impossible to determine the destination of the given branch
instructions and if they are API calls.
2.3 Solution overview
The goal of this paper is to develop system-wide, precise and general
unpacking techniques. Specifically, our goal is to input a malware
binary into our Minerva tool and output PE files that precisely
capture the malware code post-decryption and decompression, and
also capture how the malware uses external dependencies. The aim
is to output PE files that are well-suited for follow-up analysis by
off-the-shelf static analysis tools and manual investigation.
To achieve our goal, we must overcome the limitations high-
lighted above. First, to overcome the limitations when dealing with
dynamically generated code, we need a solution that can (limita-
tion 1.1) identify dynamically generated memory across the system;
(limitation 1.2) extract precisely the memory that is relevant to the
malware; and (limitation 1.3) combine the relevant dynamically
generated code into meaningful and related structures. Second, to
2 https://www.un4seen.com/petite/
4
overcome the limitations against malware that obfuscates exter-
nal dependencies, the solution must also (limitation 2.1) precisely
capture the use of API calls within the malware code; (limitation
2.2 and 2.3) do this in the context of custom API resolution and
obfuscated API calls; and, finally, map these observations to the
output, so it is readily available for follow-up analysis.
The solution we come up with, and implement into Minerva,
deploys a two-step approach following the architecture shown in
Figure 3. First, we use the dynamic analysis in Minerva to precisely
extract packed code and the API calls of the malware, and then
we use static analysis to construct PE files based on the unpacked
code. Specifically, the first step is to capture the malware execution
trace using dynamic taint analysis in a similar fashion to Tartarus
presented by Korzynski and Yin [29]. Then, we abstract the malware
execution trace into execution waves based on information flow
analysis such that an execution wave is a process-level construct
that represents dynamically generated code in the malware. During
the run time analysis, Minerva also ensures precise identification of
API calls by the instructions in the malware execution trace. From
the first step, we get a set of execution waves consisting of memory
dumps, the malware execution trace of each wave and more. The
second step Minerva performs is to group related memory within
each execution wave using disassembly techniques. Minerva then
converts each group of related dumps into a new PE file with a
new import address table, and patches API calls based on static
analysis and the API calls observed during dynamic analysis. In the
following sections, we detail these steps.
3 SYSTEM-WIDE MALWARE TRACING
A key component of our system is the ability to trace the mal-
ware throughout the entire operating system using dynamic taint
analysis. We implement the techniques in Tartarus [29] to do this.
In order to make this paper self-contained we briefly summarise
the idea in this section, however, for complete description of the
approach we refer to [29].
3.1 Abstract model of execution environment
We define a formal environment in which we can reason about exe-
cutions in a sandbox. The model we present is an extension of work
from Dinaburg et al. [10]. We consider execution at the machine
instruction level, and since an instruction can access memory and
CPU registers directly we consider a system state as the combina-
tion of memory contents and CPU registers. Let M be the set of all
memory states and C be the set of all possible CPU register states.
We denote all possible instructions as I , where each instruction can
be considered a machine recognisable combination of opcode and
operands stored at a particular place in memory.
A program P is modelled as a tuple (M P , ϵ P ) where M P is the
memory associated with the program and ϵ P is an instruction in
M P which defines the entry point of the program. There are often
many programs executing on a system and each of these may com-
municate with each other through the underlying OS. As such, we
model the execution environment E as the underlying OS and the
other programs running on the system.
We define a transition function δ E : I ×M ×C → I ×M ×C to repre-
sent the execution of an instruction in the environment E. It defines
how execution of an instruction updates the execution state and
determines the next instruction to be executed. The trace of instruc-
tions obtained by executing program P in execution environment
E is then defined to be the ordered set T (P, E) = (i 0 , . . . , il ) where
i 0 = ϵ P and δ E (i k , Mk , Ck ) = (i k +1 , Mk +1 , Ck +1 ) for 0 ≤ k < l. We
note here that the execution trace does not explicitly capture which
instructions are part of the program, with the exception of i 0 , but
rather all the instructions executed on the system including instruc-
tions in other processes and the kernel. For any two elements in
the execution trace i j ∈ T (P, E) and i k ∈ T (P, E) we write i j < i k if
j < k, i j > i k if j > k and otherwise i j = i k . We use this to define
ordering between the instructions of the sequence.
3.2 Malware execution trace
We now introduce the concept of malware execution trace. Suppose
P is a malware program and PA is some malware tracer that aims
to collect P’s execution trace. Malware program P is interested in
evading analysis and gain privilege escalation by using code-reuse
attacks and code injections. As such, the execution trace of the
malware may contain instructions that are not members of program
P’s memory M P .
To monitor the malware across the environment, the malware
monitor PA maintains a shadow memory that allows it to label the
memory and the CPU registers. This shadow memory is updated
for each instruction in the execution trace. Let S ⊆ M ×C be the set
of all possible shadow memories. We then define the propagation
function δ A : S × I → S to be the function that updates the shadow
memory when an instruction executes. The list of shadow memories
collected by the malware tracer is now defined as the ordered set:
STA (T (P, E)) = (s 0 , . . . , sl ) where δ A (sk , i k ) = sk +1 for 0 ≤ k < l.
The job of the malware tracer is to determine for each instruc-
tion in the execution trace whether the instruction belongs to
the malware or not. To do this, the analyser uses the predicate
ΛA : S × I → {true, f alse}. The malware execution trace is now
given as the sequence of instructions for which ΛA is true and we
call ΛA the inclusion predicate. We define the malware execution
trace formally as follows:
Definition 1. Let T (P, E) be an execution trace and PA a mal-
ware tracer. The malware execution trace is the ordered set ΠA =
(m 0 , . . . , md ) where:
• ΠA is a subsequence of T (P, E);
• ∃v | m j = iv ∧ ΛA (sv , iv ) for 0 ≤ j ≤ d.
The above definition says that the malware execution trace is
a subsequence (ordering is preserved) of the entire whole-system
trace and for each instruction in the malware execution trace there
is a corresponding instruction in the whole-system trace for which
the inclusion predicate is true.
The malware execution trace gives us a definition we can use to
reason about the properties of malware tracers. In particular, for
a given malware tracer it highlights the propagation function, δ A ,
and the inclusion predicate, ΛA , to be the defining parts. Having
constructed our model of malware tracers and identified the key
aspects that determine how they collect the execution trace, we now
move on to present how Minerva precisely captures system-wide
propagation.
5
3.3 Tracing the malware execution
The goal is to capture malware execution throughout the whole
system in a precise and general manner. The overall idea is to
use dynamic taint analysis to mark the malware under analysis as
tainted and then capture its system-wide execution by following
how the taint propagates through the system.
Algorithm 1 gives an overview of our approach to capturing the
malware execution trace. Assuming the first instruction executed
on the system is the entry point of the malware, the first step (line
1) is to taint the memory making up the malware. In particular,
we taint the entire malware module, including data and code sec-
tions. Next, execution continues until there is no more taint or a
user-defined timeout occurs, and for each instruction executed we
check if the memory making up the instruction is tainted (line 7).
We include the instruction in the malware execution trace if the
instruction is tainted (line 8). For each instruction in the malware
execution trace we taint all the output of the instruction, so as to
follow memory generated by the malware that is generated inde-
pendently of the initial state of the malware memory, as shown by
the Update algorithm in Algorithm 2 (line 3-5).
4 INFORMATION FLOW EXECUTION WAVES
Given the malware execution trace, the next step is to partition it
into execution waves. The goal of execution waves is to capture
dynamically generated malicious code independently of who wrote
the code and on the basis that the generated code must originate
from the malware. However, we consider execution waves to be
more than just a sequence of instructions. The set of execution
waves gives an explicit representation of an entire application, in-
cluding dynamically generated malicious code, and each execution
wave may, therefore, include both executable and non-executable
data.
In this section we give a semantics for execution waves (Section
4.1) and describe how we collect the waves in practice (Section 4.2).
4.1 Execution wave semantics
The goal of our execution wave semantics is to clearly define the
conversion of a malware sample’s execution into waves of dynami-
cally generated malicious code. As such, we describe the waves in
relation to an execution trace T (P, E) described in Section 3.1.
We partition the malware execution into waves on a process-
level basis. We map every instruction in the malware execution
trace i ∈ ΠA to a process Py and a wave within this process Wx .
We denote PyWx to mean wave x within process y, and every
process with malicious code execution contains a sequence of waves
Py .Ω = PyW0 , . . . , PyWn with |Py .Ω| ≥ 1. We denote the initial
wave in which malware execution begins as Pϵ Wϵ and the set ΦΠ
contains all execution waves for a given malware execution trace
ΠA . For each instruction in the malware execution trace, we first
identify the process in which they execute and then the wave they
belong to within their respective process.
Formally, we define an execution wave as follows.
Definition 2. An execution wave is a tuple composed of:
• A sequence of instructions I = i 0 , . . . , i n executed in the
given wave. We have i 0 to be the entry point of the wave;
 • a shadow memory S, which is a set of ordered pairs (maddr , mbyt e ) sufficient to keep track of the current wave in each process. We
that contains the tainted memory making up the wave, in- initially only have one, wave which is the wave inside of the process
cluding both code and data memory; executing the malicious application. The shadow memory S of this
• the tainted writes T which is a set of ordered pairs (taddr , tbyt e ) wave is the malware module when loaded into memory, and the set
that holds the tainted memory written by instructions in P of tainted writes is initially the empty set, T = ∅. We then update
since i 0 , where P is the process of the execution wave. the set of tainted writes whenever an instruction writes tainted
memory following our Update function shown in Algorithm 2.
Next, we present a set that formalises our requirements for par-
titioning a complete execution trace into a set of execution waves.
ALGORITHM 1: Wave collection
The purpose of this definition is to capture every layer of dynami- Data: (input) Malware sample B
cally generated malicious code and not restrict a minimal overlap Result: Logged malware execution waves and malware execution trace Π .
between the content of each execution wave. In the following, 1 P ← init taint(B)
2 T, S ←init waves(B) // initialise the shadow memories and tainted writes.
we write for two instructions i, j, i < j if i comes before j in the
3 // Full system instrumentation
malware execution trace, and vice versa. 4 i ← f ir st inst r ()
while P , ∅ do
Definition 3. Let T(P,E) be an instruction execution trace and ΠA 5
6 // is the instruction tainted?
the corresponding malware execution trace. The set of execution waves 7 if i[A] ∈ P then
is then given ΦΠ = {P 0 , . . . , Pn } where: 8 Π ← Π∧ hii
9 if i[A] < Spid then
• ∀i ∈ ΠA ∃Px ∈ ΦΠ |i ∈ Px .I. 10 if i[A] < Tpid then
• For any PyWx and PyWz in ΦΠ where x < z we have that 11 Spid ← Spid ∪ (i[A], i[mem])
∀i x ∈ PyWx .I, ∀i z ∈ PyWz .I|i x < i z . 12 Wpid ← Wpid ∪ {i }
This says that there is a strict ordering in the malware 13 else
14 Spid , Tpid , Wpid ← dump wave()
execution trace between the instructions of any two waves in 15 else
a given process Py .Ω. 16 if i[A] ∈ Tpid ∧ Spid [i[A]] , i[mem] then
• ∀(maddr , mbyt e ) ∈ Pw Ww 0 .S∃(taddr , tbyt e ) ∈ Pt Wt 0 .T 17 Spid , Tpid , Wpid ← dump wave()
else
|(maddr , mbyt e ) ∈ Pϵ Wϵ .S∨(maddr , mbyt e ) = (taddr , tbyt e )
18
19 Wpid ← Wpid ∪ {i }
where Pw Ww 0 , Pt Wt 0 and ∀iw ∈ Pw Ww 0 .I∃i t ∈ Pt Wt 0 |i t < 20 i, P, T = updat e(i, P, T)
iw . 21 return (Π)
This says that the shadow memory for all execution waves
must either exist in the shadow memory of the initial wave To capture execution waves, we monitor for each process the re-
or be composed of tainted memory written by a wave that lationship between the currently executing instruction, the shadow
started earlier. memory and the set of tainted writes following Algorithm 1. Specif-
• For any wave PyWx ∈ ΦΠ we have that ∀i ∈ PyWx .I ically, for every tainted instruction in the malware execution trace,
|∃(maddr , mbyt e ) ∈ PyWx .S|i[A] = maddr . there are four possible cases:
This says the memory of any instruction in each execution
(1) The address of the instruction is not in the shadow memory
wave must be present in the shadow memory of the given
and not in the tainted writes (line 10 Algorithm 1);
wave.
(2) The address of the instruction is not in the shadow memory
An important aspect of Definition 3 is that the second bullet but in the tainted writes (line 13 Algorithm 1);
enforces a strict ordering between instructions in the set of execu- (3) The address of the instruction is in the shadow memory and
tion waves for each process. The effect of this is that we preclude in the tainted writes but the content of the shadow memory
instructions from any given execution wave to be used in any other is not similar to current instruction (line 16 Algorithm 1);
execution wave. The reason we do this is that it creates a clear (4) The address of the instruction is in the shadow memory and
history of execution wave progress within each process, and it in the tainted writes and the content of the shadow memory
becomes easier to implement since it is only necessary to maintain is equivalent to the memory of the current instruction (line
one execution wave per process. The drawback is that when mal- 18 Algorithm 1).
ware transfers execution to code from an earlier execution wave, Case (1) happens in two scenarios. The first case is when tainted
we include some content of the earlier execution wave into the memory is transferred across processes via shared memory. For
current execution wave. In this way, we may end up with waves example, if tainted memory is written to memory shared by pro-
that overlap in their shadow memory, but, naturally, this can be cesses P1 and P2 and the instructions performing the writing is
stripped during post-processing. However, we have found this to in P1 , then the tainted writes will not be in P2 .T or P2 .S because
be no major issue and that the trade-off works well in practice. we only populate P2 .T if instructions from P 2 .T are writing to
However, we leave the door open and encourage future work in the address space of P2 . The second case is when code from the
other models, e.g. more refined models. current wave transfers execution to code that is part of an earlier
wave. This is because the shadow memory of each wave does not
4.2 Collecting the execution waves propagate to the proceeding wave, but the memory remains tainted
In practice, we only associate one wave with a given process at nonetheless. Whenever we observe case (1) we add the memory of
any given moment. Therefore, to collect the execution waves, it is the instruction to the shadow memory of the current process and
6
also append the instruction to the sequence of instructions in the
current wave. In this case, we update the shadow memory of the
current wave with the executing instruction.
In case (4) the current instruction is simply part of the current
execution wave, and this is by far the most common case. In this
case, we append the instruction to the instruction sequence of the
current wave. In cases (2) and (3) we consider the current instruction
to be the entry point of a new execution wave. Specifically, in case
(2) the instruction is dynamically generated in a new memory region
and in case (3) the instruction is dynamically generated on top of
already existing malware code.
In the event of a new wave, we log information about the current
wave following Algorithm 3. First, we log the instructions executed
in the current wave, tainted writes and the shadow memory, which
includes dumping every page in which there is a tainted write
and also dumping the shadow memory. Then we set the shadow
memory of the next wave to be the tainted writes of the current
wave and set the tainted writes to be the empty set.
ALGORITHM 2: Update
Data: (input)Instruction i , memory propagation set P , Tainted writes T .
Result: Next instruction i ne x t , memory propagation set P , Tainted writes T
1 P ← pr opaдat e t aint (i, P)
2 i ne x t ← ex ec inst r (i)
3 if i[A] ∈ P then
4 for o ∈ i[O ] do
5 P ← P ∪ {o }
6 for w ∈ i[W ] do
7 if w ∈ P then T[i .pid] ← T[i .pid] ∪ {w }
8 return i ne x t , P, T
ALGORITHM 3: dump wave
Data: (input)Current wave W , shadow memories S , Tainted writes T .
Result: Updated S , T , W
1 LogInstrs(Wpid )
2 LogTaint( T)
3 LogShadowMem( S )
4 Spid ← Tpid
5 Tpid ← ∅
6 Wpid = ∅ ∪ {i }
7 return Spid , Tpid , Wpid
The execution waves capture dynamically generated code inde-
pendent of who wrote the code including dynamically generated
malicious code via benign code. We achieve this generality because
the shadow table is composed of tainted memory and tainted mem-
ory propagates through both benign and malicious instructions.
Since the tainted code originates from the malware itself, it is dy-
namically generated malicious code. This property distinguishes
our technique from previous work and allows it to be more general
without losing precision.
The output from collecting the execution waves is the sequence of
waves executed during the malware execution. For each execution
wave, we have memory dumps of the tainted memory during its
execution and the list of instructions that belong to each wave. As
such, we have an explicit representation of each instruction in the
malware execution in the form of its raw bytes, and we also have
memory dumps of any non-executed malicious (tainted) memory.
7
All of this information will then be used to reconstruct PE files that
are effective for follow-up static analysis.
5 PRECISE DEPENDENCY CAPTURE
In order for the PE files to be useful for follow-up static analy-
sis, they must show how the malware uses external dependencies.
As described in Section 2.2, we must consider custom API call
resolution and obfuscated API calls. To this end, we capture the
destination of every branch instruction in the malware execution
trace and check if it corresponds to the beginning of a function in
an external module.
To collect the addresses of functions in each process with mal-
ware execution, we iterate the export table of every module in the
given process and capture the address of every function it exports.
We put these functions in a per-process map that pairs function ad-
dresses with their respective function names. Minerva also comes
with the possibility to speed up this process using pre-calculated
function offsets for a given DLL. As such, with pre-calculated offsets,
we only need to know the base address of a given imported module
inside the malware process to compute the absolute addresses of
its exported functions.
To capture the API functions that the malware calls, we obtain the
destination of every branching instruction in the malware execution
trace. If the branch destination is in the set of functions exported by
any of the dynamically loaded modules within the execution trace,
it means the malware performs an API call. We log every API call
and for some functions the parameters as well. For many functions
in the Windows API, the return value is also essential to understand
the semantics of the call. To capture the return value and output
parameters, we note the return address of the API call on the stack
and read the output of the function whenever the return address
executes. We also monitor functions like LoadLibrary to update
our export table when processes load new modules.
Our approach to monitoring API calls precisely captures the API
calls performed by instructions in the malware execution trace and
do not capture API calls performed by benign code inside a process
in which the malware executes. Furthermore, because we know the
specific malicious instruction for each execution wave, it is trivial
to map API calls to execution waves. This precise mapping highly
improves the precision of the analysis in comparison to sandboxes
that capture API calls globally within a process since many of these
calls are irrelevant to the malware (this is particularly true in code
injected processes).
Minerva currently does not take any efforts when malware hides
API usage by way of stolen bytes or copying of the Windows code.
Furthermore, if malware deploys inlined library code or statically
linked libraries, then Minerva will not consider these as external
dependencies. This is a limitation we discuss further in Section 8.
6 STATIC RECONSTRUCTION OF
EXECUTION WAVES
After collecting the execution waves and external dependencies, we
need to combine these into PE files. For each execution wave we
construct a set of PE files based on the content of their respective
shadow memory and for each PE file we need three ingredients: (1)
The specific memory pages of an execution wave that makes up the
PE file; (2) the PE’s IAT; (3) the entry point of the file.
The static analysis component of Minerva performs three main
steps. First, it groups related memory dumps of each execution
wave, then identifies external dependencies in each of these memory
groups and, finally, builds new PE files based on the results of the
two previous steps.
6.1 Merging over-approximated shadow
memories
The output from collecting the execution waves includes, for each
execution wave, page-level memory dumps of the shadow memory
and tainted writes. Intuitively, it can seem appropriate to convert all
of these memory dumps into one large PE file and use this for static
analysis. However, we have found this to be imprecise in practice
because it is rarely the case that all of the memory dumps are
relevant to the malware. On the one hand, the shadow memory is a
conservative approximation as we capture some memory that is not
executable code, and some memory is a result of over-propagated
taint. On the other hand, we do not want to reconstruct PE files
purely based on executed memory since this will miss non-executed,
yet still, malicious executable code, and also relevant data sections.
To avoid this imprecision, we divide the page-level memory
dumps from the dynamic analysis into smaller groups, such that
the pages of each group are related and no page in a given partition
relates to any other partition. The goal with this is to capture
the parts of the malware that are self-contained and represent the
application timelessly. To this end, we create a PE file with multiple
sections for each partition. Figure 4 shows an example of how we
select the specific tainted pages that are relevant for the unpacked
malware from a set of tainted pages output by Minerva’s dynamic
analysis component.
The first step is to identify the tainted pages with malicious code
execution. To do this, we first iterate the sequence of instructions
executed in a given execution wave and collect all pages that hold
instructions from this sequence. Following this, we iteratively
collect neighbouring pages until there are no more neighbouring
pages and the result is a set of page-level intervals where some
pages hold executed code, and other pages neighbour up to these.
This corresponds to the first two steps in Figure 4.
Following this, we identify pages in the shadow memory that
relate to each interval. To construct self-contained PE files, we cap-
ture data-dependencies and control-dependencies to other pages
in the shadow memory for each interval. We do this by perform-
ing speculative disassembly on each memory dump to capture
cross-references to other memory dumps. This step gives us cross-
references for each interval, and we then iteratively merge related
intervals such that no interval will have cross-references to other
intervals. Following this approach, we end up with a set of groups
of memory dumps, and we create a PE file for each of these groups.
In the example in Figure 4 we end up with one group consisting of
two intervals and will, therefore, create one PE file.
8
6.2 Dependency reconstruction
To reconstruct external dependencies in our PE files, we need to
rebuild the IAT of the binary and patch instructions to rely on this
new IAT.
To construct the IAT, we first identify API calls made by instruc-
tions belonging to the pages of each memory group. We identify
these by matching the API hooks collected during dynamic analysis
to instructions of the respective code wave and the pages of the
given memory group. We include each unique API function in the
IAT of the reconstructed PE file.
Although we know which instructions branch to external APIs
from the malware execution trace, the branch destinations may
not be visible from the memory dumps themselves. The final step
in constructing PE files is, therefore, to map the instructions that
perform API calls to our newly generated IAT by patching them
on the binary level. Unfortunately, binary patching is not an easy
task since some instructions may require for us to rearrange the
instructions in the binary, and this may subsequently break it. In
practice, we patch branch instructions that are 6 bytes long, e.g.
call [0xdeadbeef], because we can do this without rearranging
instructions. We do not patch instructions that are less than 6
bytes, e.g. call eax. However, we still keep the cross-references
so they can be used in more abstract representations in a follow-up
analysis.
6.3 Final PE construction
In order to construct the final PE file, we need to know the entry
point and the PE sections to put in the file. To identify the entry
point, we go through the instruction sequence of the given wave
and identify the first instruction in the range of each memory dump
group. In order to construct the PE sections, we rely on the memory
intervals that we end up with in each memory group. For example,
in our example from Figure 4 we end up with one group and two
intervals ([0x5300000-0x5303000], [0x6200000-0x6201000]). We
make each of these intervals into an individual section of the PE file
and place the newly generated IAT in-between the PE header and
these sections. The reason we make each of them into individual
sections is to avoid rebasing each interval. The pages we dump
from virtual memory are placed at various locations, and each of
them must keep this virtual address in the PE file. As such, the
PointerToRawData and VirtualAddress values in each section
header will be significantly different, and the VirtualAddress
points to the base address of each interval as it was when dumped
from virtual memory (0x5300000 and 0x6200000 in the example
in Figure 4).
7 EVALUATION
Having presented the core techniques of Minerva, we now move
on to evaluate Minerva using multiple benchmarks with respect to
the following research questions:
(1) Does Minerva precisely capture dynamically generated
code and the malware’s API calls?
(2) Does Minerva improve results over previous work?
(3) Is Minerva relevant for common malware analysis tasks?
 Tainted pages from
dynamic analysis
0x7768000
0x7751000
0x7731000
0x7557000 0x6201000
0x7551000 0x5303000 0x6200000
0x6201000 0x5301000 0x5302000 0x5303000
0x6200000 Collect 0x5300000 Gather neigh- 0x5301000 Speculative 0x5302000
pages with bouring disassem-
0x5901000 0x5300000 0x5301000
malicious pages. bly to collect
0x5303000 execution. pages by cross- 0x5300000
0x5302000 referencing.

0x5301000
0x5300000

Figure 4: The process of identifying which tainted pages from dynamic analysis that are relevant when reconstructing un-
packed PE files. In the example, the reconstructed PE file has two sections (0x5300000-0x5303000 and 0x6200000-0x6201000).

To facilitate the research questions above, we gather four sets of
benchmark applications comprising synthetic applications as well
as real-world malware applications:
(1) Benchmark #1 : Ground truth data set. We develop a
new benchmark suite that combines the use of dynamically
generated code, code injection and obfuscation of external
dependencies. In total, we have developed nine different
applications, and they are all described in Table 2.
The applications in the benchmark suite represent many
of the challenges posed by real-world packers. To the
knowledge of the authors, this is the first dedicated bench-
mark suite for challenging the attributes of unpackers
where none of the samples relies on packers developed
by third-party teams. The benefit of this benchmark suite
is that each sample poses specific challenges that are clearly
defined, the applications are easy to understand, and we
have the complete source code of each example. As such, it
becomes much more accessible to determine if an unpacker
is successful because there is no need to reverse engineer
large amounts of binary code.
(2) Benchmark #2 : Selected malware samples. The sec-
ond data set corresponds to several malware samples from
the families CryptoWall, Tinba, Gapz and Ramnit. These
samples perform many of the obfuscation techniques that
Minerva aims to overcome, such as code injection com-
bined with dynamically generated code and custom API
resolution.
(3) Benchmark #3 : Packed synthetic samples. We have
taken a set of synthetic samples and packed them with
well-known packers. In these applications, we know the
applications’ behaviours before packing because we de-
sign the applications; however, we do not know the exact
changes the packers make on the code and, therefore, do
not have ground truth about the packed applications.
(4) Benchmark #4 : Real-world malware samples. This
set comprises 119 malware samples from the real-world
malware families listed in Table 1. We collected seven
samples from each family to maintain a balanced data set,
and the samples were collected from VirusTotal. In order
Artemis CTBLocker Cerber CoinMiner
CosmicDuke Emotet Kovter Madangel
Mira Natas Nymaim Pony
Shifu Simda TinyBanker Urausy
Zbot
Table 1: The malware families in Benchmark set #4. We col-
lected a total of seven samples from each family.
to ensure the samples are indeed benign, we required each
sample to be detected by at least 15 anti-malware vendors.
Furthermore, in order to ensure certainty that the samples
belong to their respective families, we required at least two
vendors to label them in the same family. On average each
sample had 52 anti-malware vendors report it as malicious
and a median of 54. We recorded each of these samples for
25 seconds and set a max replay time of 120 minutes.
In order to assess the techniques of Minerva, we must make a
fair and meaningful comparison to existing work. One approach is
to compare Minerva to recently proposed unpackers like Codisasm
[6] or Aranchino [34]. However, we already showed in [29] that
Codisasm is very limited due to its implementation in PIN, and
Aranchino is also developed on top of PIN with no additional effort
for analysing system-wide malware. Instead, we compare Minerva
to the unpacker by Ugarte et al. [42].
Ugarte et al. [42] propose a malware unpacker that is capable of
analysing multi-process malware is implemented on top of QEMU.
The unpacker supports multi-process unpacking by monitor various
system calls and also develop techniques for capturing memory
mappings. The tool they present is only available as a web service3 ,
which forces us to treat their system as a black box. Furthermore,
they do not mention which OS they support in their work; however,
from experimenting with the service, we conclude the analysis
environment is Windows XP. We determined this because the web
service responds with “Error - The sample did not start executing.”
when faced with applications compiled for Windows 7 and later,
3 www.packerinspector.com

9
 ID Description.
Dynamically generates code and uses custom IAT resolution to resolve
D1
GetModuleHandle, GetProcAddress and ExitProcess and exits.
Dynamically generates code and uses custom IAT resolution to resolve
D2 GetModuleHandle, GetProcAddress and MessageBoxA and then displays a
message box.
Dynamically generates code that further dynamically generates code and
then uses custom IAT resolution to resolve GetModuleHandle,
D3
GetProcAddress and MessageBoxA and then displays a message box.
Dynamically generates code that further dynamically generates code and
D4 then uses custom IAT resolution to resolve GetModuleHandle,
GetProcAddress and ExitProcess and then exits.
Opens the Windows process explorer.exe using OpenProcess,
WriteProcessMemory and CreateRemoteThread, then inside the target
C1
process dynamically resolves the address of GetModuleHandle,
GetProcAddress and ExitProcess, and calls each of them to exit.
Opens the Windows process explorer.exe using OpenProcess,
WriteProcessMemory and QueueUserAPC, then inside the target process
C2
dynamically resolves the address of GetModuleHandle, GetProcAddress
and ExitProcess, and calls each of them to exit.
Uses the PowerLoaderEx injection that relies on a global memory buffer and
code-reuse attacks to hijack execution of explorer.exe. Inside
C4
explorer.exe code-reuse attacks transfers execution to shellcode that calls
LoadLibraryA.
Uses the Atombombing injection techniques that relies on the global atom
C5 tables to execute within explorer.exe. Inside explorer.exe it uses
code-reuses attack to execute a piece of shellcode that launches calc.exe.
Injects code into explorer.exe similarly to A1, then inside the target
M1
process dynamically generates code that then dynamically resolves the
address of GetModuleHandle, GetProcAddress and ExitProcess, and
calls each of them to exit.
Table 2: Description of the samples in data set #1 and how
they perform code injection.
but runs normally with Windows XP applications. As such, we
wrote the samples in our data set to make sure they all execute
correctly on both Windows XP and Windows 7. We will refer to
the unpacker by Ugarte et al. [42] as PackerInspector.
7.1 Implementation
Minerva is built on top of PANDA [11], which is a dynamic analysis
framework based on full system emulation and utilises a record-
and-replay infrastructure. All of the code on top of PANDA is built
in C/C++ and the majority of our tools that process the output of
the sandbox are in Python. Most of the code in Minerva’s dynamic
analysis is on top of PANDA; however, we have had to modify the
main taint analysis plugin that comes with PANDA to be less re-
source intensive. Specifically, PANDA’s taint2 plugin can quickly
use 40+ GB of memory, and to limit this, we removed support for
taint-labels and made some data structures more simplistic.
7.2 Experimental set up
We conduct all of our Minerva experiments on a 4-core Intel-7 CPU
with 4.2 GHz and a Windows 7, 32-bit guest architecture. The guest
is in a closed network and connected to another virtual machine
that performs network simulation using INetSim[18]. As such,
malware samples that connect back to some CC server will be able
to resolve DNS names, connect to every IP and also receive content.
However, the content itself is the default data provided by INetsim.
We executed the applications on the guest machine with a local
admin account, and User Account Control (UAC) enabled. We
perform no user stimulation during the analysis, and there were no
10
applications apart from the generic Windows processes running in
the guest machine itself.
7.3 Empirical evaluation of correctness
In our first experiment, we match Minerva and PackerInspector
with the ground-truth samples in benchmark set #1. For each of the
samples, we capture the number of execution waves, the number
of processes involved in the execution, the number of API calls
observed from the last wave of each sample and the number of
functions in the IAT of the unpacker’s output. We match the results
from the output of Minerva and PackerInspector with our ground
truth data and Table 3 shows our results.
For the samples that execute in a single process, both Minerva
and PackerInspector capture the number of processes and waves
accurately. In two of these four samples, Minerva captures the
five expected API calls accurately, and in the other two Minerva
captures slightly more than the expected number. PackerInspector,
however, attributes about 200x more API calls than the expected
number to the final wave of the execution. Furthermore, Minerva
builds the IAT for the two samples accurately and a slightly larger
IAT for the other two. PackerInspector is unable to produce any
output with an IAT, and there is no sign of API usage in the output
of PackerInspector. The reason Minerva captures slightly more API
calls than expected is that the compiler, naturally, adds various
function calls around the source code. PackerInspector success-
fully identifies the correct number of execution waves but fails to
attribute API calls accurately to unpacked code and also fails to
produce any output with an IAT. Minerva, however, succeeds at
both.
For the samples that perform multi-process execution, we ob-
serve that Minerva captures all processes, execution waves, API
calls, and rebuilds PE files with the expected IAT. The reason Min-
erva does not capture slightly more API calls than the expected
amount in these samples is that the final wave occurs within an
injected process and does not contain the added functions from
the compiler. Surprisingly, PackerInspector fails to detect multi-
process execution in any of the samples, and we suspect this is
because PackerInspector only monitors for multi-process execution
via memory mapped files which none of the samples uses. From our
multi-process samples, we observe the limitations of the original
write-then-execute heuristic, in that it is unable to handle system-
wide unpacking in a general and precise manner. However, the
novel techniques introduced by Minerva are successful at this.
When matched with our ground-truth samples it is clear that
PackerInspector over-approximates the API usage of the applica-
tions, is unable to output unpacked code that shows API usage
when faced with obfuscations of external dependencies and under-
approximates the system-wide malware execution. These obser-
vations verify our hypothesis that state-of-the-art unpackers are
unable to deal with many challenges faced by system-wide packing
and that the techniques in Minerva overcome these limitations.
7.4 Empirical evaluation against selected
malware
In our second experiment, we match Minerva and PackerInspector
with the malware samples in data set #2. The goal of this experiment
 Precision Precision
(Ground Truth, Minerva, PackerInspector) (Minerva, PackerInspector)
Sample #Procs #Waves #API calls in final wave #IAT size Sample Procs Waves API calls Unique APIs
(1) D1 1,1,1 2,2,2 5,8,1007 3,5,0 CryptoWall4 5(†2),4(†1) 8,4 7371,21050 148, 354
(1) D2 1,1,1 2,2,2 5,5,1007 3,3,0 CryptoWall 5 3, 4(†1) 6,4 9945,23580 135, 388
(1) D3 1,1,1 3,3,3 5,5,1006 3,3,0 Tinba 6 3,2 4,3 557,34076 54, 477
(1) D4 1,1,1 3,3,3 5,10,1007 3,6,0 Tinba 7 3,2 4,3 667,49260 55,549
(1) C1 2,2,1 2,2,1 6,6,† 3,3,† Tinba 8 3,2 4,3 704,49262 55, 550
(1) C2 2,2,1 2,2,1 6,6,† 3,3,† Gapz 9 2,1 7,5 36509156, 15850000 140, 336
(1) C4 2,2,1 2,2,1 1,1,† 1,1,† Gapz 10 2,1 4,3 36504908, 15845670 125, 226
(1) C5 2,2,1 2,2,1 5,5,† 3,3,†
Gapz 11 3,1 5,2 36506063, 15844113 186, 251
(1) M1 2,2,1 3,3,1 6,6,† 3,3,†
Ramnit 12 3, 4(†1) 8,5 6908,56720 116, 479
Table 3: The evaluation results from matching Minerva and Ramnit 13 12(†1),5 30,6 16185,209828 153, 489
PackerInspector with the ground-truth samples of data set Ramnit 14 3, 5(†1) 8,8 3189, 115943 115, 621
#1. † means not available because PackerInspector failed to Table 4: The evaluation results from matching Minerva and
reach the last wave. PackerInspector with the malware samples of data set #2. †
indicates the number processes we determined to be false
positives.

finds one less than PackerInspector. In both samples, both unpack-

is twofold. First, we aim to measure how each unpacker captures
ers find two injections into svchost.exe and in both cases, Pack-
system-wide unpacking based on the number of processes and
erInspector also finds injections into vssadmin.exe. Minerva also
waves they identify. Second, we aim to measure the difference in
finds an injection into vssadmin.exe in the sample with five pro-
the total amount and the unique amount of API calls observed in
cess executions. However, we have found that these vssadmin.exe
each malware execution.
propagations correspond to false positives. In particular, we found
We only have access to PackerInspector via their web interface,
no injections into vssadmin.exe but rather that the samples ex-
and in this experiment, it is important to highlight the limitations
ecute the following command ‘‘vssadmin.exe Delete Shadow
of this. The samples we analyse with Minerva are executed in
/All /Quiet’’ using the WinExec call. We believe this call results
Windows 7, and the samples we analyse with PackerInspector pre-
in the memory flowing into the vssadmin.exe and is, effectively,
sumably execute in Windows XP. In addition to this, we do not
the reason the unpackers identify execution in vssadmin.exe.
know the state of the execution environment that PackerInspector
In two Ramnit samples, Minerva finds fewer injections than
uses to execute the malware samples, such as the processes exe-
PackerInspector. In one of these samples, PackerInspector reports
cuting on the system, the network connection, the privilege-level
an additional injection into IEXPLORE.exe that is not identified
of the malware, the security settings in the guest system, and so
by Minerva. We analysed the sample ourselves and found that
on. This adds a level of uncertainty to the results we present in
the sample only injects into two IEXPLORE.exe processes if it fails
this section since we are not conducting an isolated comparison
to inject into two svchost.exe processes, which we observed by
of techniques as the execution environments of the malware are,
both Minerva and PackerInspector. However, researchers from
likely, significantly different. This is particularly relevant when
Symantec [36] report that Ramnit also drops a file that will be
dealing with the samples from data set #2 because malware sam-
loaded by each new instance of IEXPLORE.exe, which may be an
ples are complex applications that are sensitive to their execution
explanation for why PackerInspector observes such an injection.
environment and small changes in the environment can have a sub-
However, we think it’s most likely a result of over-approximation
stantial impact on the malware execution. However, we still feel it
in PackerInspector as it would require the IEXPLORE.exe process
is appropriate to report the results as they give certain insights into
to be launched on the system. In the other sample, PackerInspector
the differences in our approaches. The results of our experiment
finds an additional injection into a file with a random name which
are shown in Table 4.
Minerva does not. Minerva, however, observes the creation of this
In terms of multi-process monitoring, Minerva captures more in-
file but does not see it execute. In the remaining Ramnit sample,
jections than PackerInspector in eight samples and fewer injections
Minerva captures seven more injections than PackerInspector, and
in three samples. PackerInspector misses multi-process executions
both Minerva and PackerInspector identifies four injections into
in all Tinba and Gapz samples. For the Tinba samples, PackerInspec-
IEXPLORE.exe in this sample. Based on follow-up analysis, we
tor only catches the first multi-process execution which occurs into
determine six of the additional injections Minerva finds are true
the benign Windows process winver.exe, a process that is also
positives and one is a false positive. We conclude this because we
started by each sample. PackerInspector misses all multi-process ex-
found API-signatures that show injections into these processes, but
ecutions within the Gapz malware sample, and we believe there are
not the remaining one.
two possible explanations for this. First, because PackerInspector
exits prematurely, and second because Gapz uses the PowerLoader 4 md5sum e73806e3f41f61e7c7a364625cd58f65
5 md5sum
injection which does not rely on any of the API hooks used by 5384f752e3a2b59fad9d0f143ce0215a
6 md5sum c141be7ef8a49c2e8bda5e4a856386ac
PackerInspector to catch multi-process unpacking. 7 md5sum 08ab7f68c6b3a4a2a745cc244d41d213
In one CryptoWall sample, Minerva finds one more multi-process 8 md5sum 6244604b4fe75b652c05a217ac90eeac

propagation than PackerInspector, and in another sample, Minerva 9 md5sum 089c5446291c9145ad8ac6c1cdfe4928

11
 1 2 3 4-5 6-11
66% 15% 9% 5% 5%
Table 5: Number of process executions per malware sample.
1 2 3 4 5 5¡
52% 18% 7% 9% 2% 12%
Table 6: Number of waves per malware sample.
1 2 3 4 5 5¡
51% 17% 8% 3% 8% 13%
Table 7: Number of PE files constructed per malware sample.
1 2 3-5 5¡
56% 15% 18% 11%
Table 8: Number of Sections reconstructed per PE file.
0 1-10 11-15 16-20 21-25 26 ¡
18% 28% 7% 5% 2% 40%
Table 9: Number of imports per PE file.
In terms of precision for tracking API calls, there is a similar re-
lationship between Minerva and PackerInspector as when matched
with our ground-truth samples. In the samples from CryptoWall,
Tinba and Ramnit, Minerva reports roughly twelve times fewer API
calls within the malware execution than PackerInspector. We man-
ually investigated several of the Tinba samples to confirm these
numbers and found that Minerva captures API calls accurately
within the malware execution. As such, we consider the API calls
reported by PackerInspector to be a significant over-approximation.
In addition to the total number of API calls, PackerInspector cap-
tures about three times more unique API calls in each malware
execution, even in cases where Minerva finds more total API calls.
The only instances where Minerva finds more total API calls are in
the Gapz samples. The reason that there is a significant amount of
API calls in these cases is that the Gapz malware scans a remote
process for gadgets and this results in an enormous amount of
calls to ReadProcessMemory (about 99.985% of calls in the Minerva
analyses). We believe that the reason Minerva reports more API
calls than PackerInspector only in the Gapz samples, is because
PackerInspector exits prematurely.
When matched with these malware samples, it is clear that Pack-
erInspector over-approximates the API usage of the applications,
both in terms of total API calls and unique APIs used. We also find
that in the majority of times, PackerInspector under-approximates
the system-wide malware propagation and Minerva finds more
system-wide unpacking.
10 md5sum 0ed4a5e1b9b3e374f1f343250f527167
11 md5sum e5b9295e0b147501f47e2fcba93deb6c
12 md5sum 448ce1c565c4378b310fa25b4ae3b17f
13 md5sum 33cd65ebd943a41a3b65fa1ccfce067c
14 md5sum 3bb86e6920614ed9ac5d8fbf480eb437
12
7.5 Relevance on malware
In this experiment, we match Minerva with benchmark set #4.
In total we run 119 samples through Minerva and collect (1) the
number of process executions; (2) the number of waves; (3) the
number of generated PE files; (4) the number of imports in the IAT
of each PE file and (5) the number of sections in each PE file.
Table 5 shows the number of processes and Table 6 the number
of waves in our data set. We find that a third of the samples per-
form multi-process execution and that roughly half have multiple
execution waves, which means that a large part of all the samples
with single-process execution have multi-wave execution.
Table 7 shows the distribution of reconstructed PE files. We
construct more PE files than the number of captured waves, which
shows that some waves contain several regions that are non-related.
Finally, Table 8 shows the number of sections reconstructed in each
PE file and Table 9 shows the number of reconstructed imports.
For roughly 20% of the PE files, we do not monitor any API calls
in the code, and this is due to some PE files being a result of small
amounts of taint in minor code regions.
7.6 Relevance on packers
In this experiment, we show that Minerva is relevant against pub-
licly available packers from benchmark set #3. This experiment is
common practice for unpacking engines [6, 33, 38, 42] and, there-
fore, natural for us to perform. We construct a simple application
that will get the name of the current user and report back to us so
we can verify the behaviour occurred correctly. We pack this appli-
cation with 13 publicly known packers and analyse the samples in
Minerva.
We show the results of our experiment in Table 10. The table
shows the number of processes, waves, PE files, and whether we
found the original code or a derivative thereof, and also whether we
observed the original behaviour. Minerva produced PE files for most
of the packers that are very similar to the original code, including
correct API calls. In general, these packers are rather simple in
comparison to some of the techniques we observe in malware from
the wild. For example, all but one of the packers are single-process
packers. This makes sense since the packers are not necessarily
meant to be used by malicious software, but may be used by benign
applications, which are not meant to inject into other applications.
Furthermore, many of these packers rely on similar approaches for
compression, e.g. the Lempel–Ziv–Markov chain algorithm, and
the majority the packers used in these experiments are rather old.
7.7 Tinba case study
We now investigate in depth a case study of a real-world malware
sample from the Tinba malware family15 . Minerva outputs four
PE files with sizes 12KB, 12KB, 16KB and 24KB, respectively. We
manually reverse engineered the sample to fully understand the
system-wide propagation and where the sample exposes its un-
packed code. The malware first decrypts memory from its data
section and then transfers execution to this code. The decrypted
code injects code into the Windows process Winver.exe and from
Winver.exe it further injects into explorer.exe.
15 md5sum 08ab7f68c6b3a4a2a745cc244d41d213
 Packer #proc #wave #PE U OB systems that rely on hypervisor-based virtualisation for recording,
BoxedApp 1 1 1 Y Y e.g. AfterSight [8]. However, we consider PANDA’s performance
Enigma 2 11 1 Y Y good enough for malware analysis in particular because the plugins
FSG packed 1 2 2 Y Y that we deploy will have far more impact on the total analysis
mew11 1 3 4 Y Y time. Naturally, the performance overhead in the recording stage
MoleBox 1 4 9 Y Y can be used by the malware to evade analysis, and we discuss this
mpress 1 2 2 Y Y further in Section 8. In this performance evaluation, we focus on
PackMan 1 2 2 Y Y the overhead of Minerva’s analysis when replaying the recorded
PECompact 1 4 4 Y Y execution, and the numbers we report in this section are based
PEtite 1 4 4 Y Y on analysis of the 25 malware samples from the Ramnit, Gapz,
tElock 0 0 0 N N CryptoWall and Tinba families.
UPX 1 2 2 Y Y
WinUpack 1 2 w Y Y
6,000 LLVM + taint + Minerva
XComp 1 2 2 Y Y
LLVM + taint
Table 10: The results from matching Minerva with known

Seconds
packers. OB indicates if we observed the original behaviour 4,000
of the packed application. U indicates if we found the origi-
nal code in Minerva’s output. 2,000

To inject code into Winver.exe Tinba launches a new instance
of Winver.exe in a suspended state. Then, Tinba allocates mem-
ory on the heap of the newly started Winver.exe and copies some
malicious code into this specific memory. Tinba then overwrites
six bytes of the Start function in Winver.exe with the instruc-
tions push ADDR; ret, where ADDR is some address inside the
dynamically generated malicious code. Effectively, Tinba ensures
execution of its malicious code in Winver.exe by overwriting an
initial function in Winver.exe to hijack execution.
Minerva captures one execution wave and outputs two unpacked
PE files for the code in Winver.exe, one PE file based on a single
execution wave in explorer.exe and also one PE file from the
unpacked code in the initial process. The PE files produced by
Minerva has 0, 11, 12 and 26 imports reconstructed. These results
capture the execution perfectly because the PE file with 0 imports is
purely the push ADDR; ret instructions of the malware execution
trace in Winver.exe and the rest of the PE files contain various
other stages with more payload content.
Minerva correctly identifies the malicious code, both the patched
code of Winver.exe and also the code on the heap that contains
the core of the malware code. More importantly, the PE files pre-
cisely capture the malware execution, and from the execution trace
output by Minerva, we can precisely see the exact instructions
push ADDR; ret. Minerva also catches the exact malware code
inside of the explorer.exe process. The PE file captured from the
second execution wave in the original malware process contains 11
imports in its reconstructed IAT, five of which are ResumeThread,
CreateProcessA, WriteProcessMemory, VirtualAllocEx and
VirtualProtectEx. A novice analysts can quickly determine that
the execution performs a code-injection based on these API calls.
7.8 Performance evaluation
In the final part of our evaluation, we monitor the performance
of Minerva. The authors of PANDA report that recording gives
a 1.85x slowdown in comparison to QEMU alone and replaying
incurs a 3.57x slowdown [11]. This is expensive in comparison to
13
0
0 0.2 0.4 0.6 0.8 1 1.2 1.4 1.6
·109
Instructions replayed
Figure 5: The average number and standard deviation of in-
structions replayed relative to time, for instruction counts
where we have more than 3 samples executing the given
number of instructions.
The blue curve of Figure 5 shows the number of instructions
replayed relative to the time taken in each of the analyses. On
average the replay time is 3166 seconds, resulting in a 126x slow-
down of the recording time, and we analysed on average 432365
instructions per second. In comparison, the developers of PANDA
report a 24.7x slowdown when tainting data sent over the network
and a 67.7x slowdown for tainting a 1KB file and encrypting it with
AES-CBC-128 [11]. Additionally, Figure 6 shows the number of
instructions that it took to replay the samples in our data set, and
we observe that for about 90% of the samples this required less than
2 billion instructions.
Another interesting metric is the specific overhead incurred
by Minerva-only code. Specifically, there is some share of the
overhead that is due to the translation of QEMU TCG instructions
to LLVM instructions and also overhead that is specific to the taint
implementation of PANDA. None of these requirements is strict
to Minerva, in that we are not reliant on LLVM specifically, and
PANDA’s taint analysis does not focus on performance. Several
systems focus on fast taint analysis [7, 16, 35] and, conceptually,
the techniques of Minerva can be implemented on top of these taint
libraries as well. To understand the overhead of Minerva’s code,
we ran the samples through a replay with LLVM-translation and
taint analysis enabled, and no Minerva-specific analysis code. This
gives us a reasonable estimate for how much of the analysis time
was spent in the specific code related to Minerva. The black curve
in Figure 5 shows these numbers. On average, each execution took
1275 seconds with the overhead of LLVM translation and PANDA’s
taint library. This corresponds to an average of 51x slowdown,
meaning that Minerva’s code takes up a bit more than half of the The sample we observed with the longest replay time is from the
total 126x slowdown. Nymaim family that has a stalling loop with 1.4 billion iterations,
and after the stalling loop, it calls the Sleep function from the
LLVM + taint + Minerva Windows API to further stall the execution. In total, our 25-second
recording of this sample took 170,000 seconds to replay.
% of samples

100

50

0
0 1 2 3 4
Instructions to complete replay ·109

Figure 6: The amount of instructions needed to replay the

samples in our data set. The horizontal blue line shows the
90% mark.

During the replay of a malware sample, Minerva does no check-

ing to verify if the analysis is progressing, is stuck or something
similar, and the numbers above report the total time of each analysis-
replay. An interesting metric in addition to the total replay time
is the time it took to reveal the instructions executed in each mal-
ware sample. In Figure 7 we show the time it took to uncover 95%,
%99 and %100 of the unique instructions executed by the malware
samples, respectively. The numbers decrease significantly, and on
average it took 1614, 1964 and 2543 seconds to uncover 95%, %99
and %100 of the unique instructions executed, respectively. As such,
it took roughly half of the total replay time to reveal 95% of the
instructions in each sample.
8,000
95% instruction coverage
6,000 99% instruction coverage
Seconds
Figure 8: Stalling loop in Kovter malware.
8 LIMITATIONS
Stolen bytes and copying Windows API. Minerva’s precise API
capturing of API calls depends on monitoring whether the target
address of branch instructions is the start of some Windows API
function. Some malware use an anti-analysis technique, called
stolen bytes, that copies a share of some API function to another
place in memory to execute that code and then branch in the middle
of the given API function. In this context, they avoid calling the
beginning of the function and our technique will not capture it.
One solution to this is to identify function boundaries for each API
function and then monitor ranges rather than the function start.

100% instruction coverage In a more general setting, malware can copy entire functions
4,000 or modules from the Windows API and then rely on the copied
code rather than calling the original Windows code. In this context,
2,000 Minerva will still capture whenever system calls happen, but new
measurements should be taken for identifying the copying of Win-
0 dows code. One approach is to mark library code with a specific
0 20 40 60 80 100
taint label and then monitor whether library code is propagated.
% samples Naturally, this solution is subject to the limitations of taint analy-
sis. Another approach is to incorporate forensic techniques that
Figure 7: The time taken to explore the unique instructions determine the similarity between the code in a given process and a
in each malware sample. set of external libraries, which we discuss further in the following
paragraph.
The biggest performance bottleneck we found in Minerva is
Inlining and statically linked binaries. A limitation in Min-
when malware makes the code execute longer via stalling loops.
erva in terms of identifying external dependencies is when malware
An example of a stalling loop from a Kovter sample16 is shown in
deploys inlined or statically linked code. The difference between
Figure 8. In total, the loop does 20 million iterations with sixteen
this and copying external libraries as described above is that inlin-
calls to functions from the Windows API in each iteration. The loop
ing and statically linking occurs at compile time where copying
has no real effect and is purely garbage code. In total, our 25-second
occurs at run time. Minerva is not capable of identifying inlined
recording of this sample reaches 17 million iterations before the
or statically linked external dependencies, and we consider this to
recording is over and incurs a replay time of 3300 seconds.
be a slightly different problem, namely similarity analysis of the
16 md5 of sample 147330a7ec2e27e2ed0fe0e921d45087 malware code with library implementations. However, inlining
14
and statically linking can, of course, be used in combination with
obfuscation techniques and similar, and, therefore, the problem be-
comes determining program equivalence in the general case, which
is a well-known undecidable problem. Nonetheless, efforts can still
yield positive and practical results as shown by previous work in
areas such as library fingerprinting [13, 20], structural comparison
of binary code [12, 14, 30] and, most recently, similarity detection
via machine learning [32, 41].
Performance limitations. There are currently two main per-
formance limitations in Minerva. First, malware can detect the
presence of the recording component due to the 3.56x slowdown,
and second, the replaying component limits the throughput of Min-
erva due to its performance cost. Stalling loops seem to pose a
core limitation in this context. There is, however, previous work on
how to deal with stalling loops in the context of full system emula-
tion. Kolbitsch et al. implemented several features into the Anubis
analysis system [27]. Their approach is to implement heuristics
that detect when stalling loops occur and then either disable heavy
instrumentation until the stalling loop exits or force execution out
of the loop. The first approach is certainly possible to implement
in Minerva, but it may run into issues if the stalling loop is also
responsible for propagating executable malicious code since the
taint analysis would likely be disabled. The second approach is
more challenging to implement because replaying is not able to
change execution-path in the guest system, as the execution is fixed
to the replay log.
We consider five main avenues to improving performance. First,
we can use hardware assisted virtualisation during recording and
only full system emulation during replay, as suggested in After-
Sight [8]. Second, we can implement various on-and-off analyses
during the replay similar to Kolbitsch et al. Third, we can add light
anti-analysis monitoring during the recording, for example, to limit
the effectiveness of calls to functions like Sleep. In this case how-
ever, the implementation must use some form of approximation to
determine the malware execution trace since taint analysis will not
be available. Fourth, we can improve the speed of various parts in
PANDA, such as the taint analysis plugin. Instead of converting
instructions to LLVM and performing taint analysis on the LLVM
code, we can adopt the taint system by DECAF, which occurs di-
rectly on the QEMU tcg instructions [16]. Finally, an interesting
avenue is implementing a feedback loop between record-and-replay
that based on the analysis in the replay sends information to the
recording about where a delay in execution occur and how to han-
dle it. In this way, it is possible to incrementally build up a complete
execution trace of the malware without anti-analysis tricks.
9 RELATED WORK
Automatic unpacking. There are many works in automatic un-
packing of malware and we have already discussed several of these
throughout the paper [10, 17, 21, 23, 33, 39, 42]. Some of this work
considers the concept of IAT destruction [21, 28, 39] and IAT recon-
struction has also been considered on a more general basis [24]. The
work by Ugarte et al. [42] highlights several missing gaps in exist-
ing unpackers and proposes a system-wide approach to unpacking.
However, as we observed in this paper, their approach is severely
15
limited. In some aspects, Ugarte et al. provide a more refined model
for dynamically generated code in that they assign various labels
to the memory written by the malware based on whether it is exe-
cuted and alike. These labels can easily be integrated into Minerva.
In addition to this, they also highlight that several limitations in
existing unpackers exist due to missing reference data sets, which
indeed also motivated the construction of our synthetic benchmark
set #1.
The work that is closest to ours is Tartarus [29] and the ideas
of this paper are heavily inspired by their work. We deploy a
similar approach to tracing the malware throughout the whole
system, however, we deploy a different model of dynamically gen-
erated malicious code and also propose novel algorithms for making
the output suitable for follow-up analysis. In particular, the post-
processing we describe in this paper is novel and our model of
dynamically generated code is explicitly connected to previous
waves whereas Tartarus simply dumps the whole of tainted mem-
ory whenever a new wave executions. As such, our model is more
precise and also formally defined.
System-wide malware execution. Several works have closely
considered the concept of malware executing throughout the whole
system. In particular, Panorama [43], DiskDuster[1], Tartarus [29]
and API Chaser [25] use dynamic taint analysis to capture this.
Barabosch et al. has also investigated the problem with code in-
jection by analysing memory dumps [4] and also at run time [5].
Minerva relies on the same techniques as Tartarus to trace malware
execution through the system. An interesting approach at the other
end of the spectrum is explored by Ispoglou and Payer in malWASH
[19], where they propose to write complex malware using exactly
the paradigm of system-wide execution.
Malware disassembly. The work in this paper is closely related
to techniques that focus on disassembling malicious software. An
accurate description of our work within this domain, rather than
unpacking, is a system-wide malware disassembler. We gather a
precise instruction-level execution trace of the malware and then
gather more content to include in the reconstructed PE file with
speculative disassembly. Traditionally, disassembly techniques are
split between linear sweep, as used in GNU’s Objdump, and recur-
sive traversal [9, 40] algorithms. However, there are several pieces
of previous work on disassembly that specifically target malware
and these move beyond the traditional approaches. Kruegel et al.
present an approach that combines a variety of techniques from
control-flow analysis and statistical methods, in order to statically
disassemble obfuscated binaries [31]. Kinder and Veith present
an approach based on abstract interpretation that statically dis-
assembles binaries and also resolves indirect branch instructions
[26]. Rosenblum et al. present a classification approach to identify
function entry points [37], and Bao et al. [3] follow the same path
and use machine learning and static analysis to identify functions
within binaries. They train a weighted-prefix tree that recognises
function starting points in a binary file and then value-set analysis
[2] with an incremental control-flow recovery algorithm to identify
function boundaries.
10 CONCLUSIONS
In this paper, we proposed a system called Minerva that focuses [8]
on generic and precise malware unpacking. From a technical point
of view, Minerva deploys a concatic approach with both dynamic
and static analysis and partitions the malware execution trace into [9]
execution waves based on information flow analysis. Minerva
precisely monitors the API-calls of the malware code and accurately [10]
correlates these to the unpacked code. Based on the output of the
dynamic analysis, Minerva performs static analysis on the execution
waves to output a set of reconstructed PE files with valid import [11]
address tables and patched API calls.
From a theoretical point of view, Minerva deploys a precise
model of execution waves based on an information flow model that [12]
captures dynamically generated malicious code independently of
[13]
who wrote the code. We came up with several novel algorithms [14]
that combine these execution waves with other artefacts collected
from the dynamic analysis to carefully produce PE files that are
well-suited for follow-up static analysis. [15]
Finally, we proposed a new set of benchmark applications that
exhibit unpacking behaviours with various forms of dynamically
generated code, system-wide execution and import-address table [16]
destruction in order to address a missing gap in terms of ground-
truth samples for testing unpackers. This benchmark suite is the
first of its kind in that previous benchmark data sets for testing [17]
automatic unpackers rely on third-party applications to perform
the packing.
We evaluated Minerva against our synthetic applications, real-
[18]
world malware samples and also performed a comparative evalua- [19]
tion. Our results show that Minerva is significantly more precise
than previous work and outputs unpacked code that shows exter-
nal dependencies, which previous work does not. Our results also [20]
show that Minerva captures system-wide unpacking in many cases
where previous work fails.
[21]
REFERENCES
[1] Andrei Bacs, Remco Vermeulen, Asia Slowinska, and Herbert Bos. 2013. System- [22]
Level Support for Intrusion Recovery. In Detection of Intrusions and Malware,
and Vulnerability Assessment, Ulrich Flegel, Evangelos Markatos, and William
Robertson (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 144–163. [23]
[2] G. Balakrishnan, T. Reps, D. Melski, and T. Teitelbaum. 2008. WYSINWYX: What
You See Is Not What You eXecute. Springer Berlin Heidelberg, Berlin, Heidelberg,
202–213. https://doi.org/10.1007/978-3-540-69149-5 22
[3] Tiffany Bao, Jonathan Burket, Maverick Woo, Rafael Turner, and David Brumley. [24]
2014. BYTEWEIGHT: Learning to Recognize Functions in Binary Code. In
Proceedings of the 23rd USENIX Security Symposium, San Diego, CA, USA, August
20-22, 2014. 845–860. https://www.usenix.org/conference/usenixsecurity14/
technical-sessions/presentation/bao
[4] Thomas Barabosch, Niklas Bergmann, Adrian Dombeck, and Elmar Padilla. 2017.
Quincy: Detecting Host-Based Code Injection Attacks in Memory Dumps. In [26]
Detection of Intrusions and Malware, and Vulnerability Assessment, Michalis Poly-
chronakis and Michael Meier (Eds.). Springer International Publishing, Cham,
209–229.
[5] Thomas Barabosch, Sebastian Eschweiler, and Elmar Gerhards-Padilla. 2014. [27]
Bee Master: Detecting Host-Based Code Injection Attacks. In Detection of Intru-
sions and Malware, and Vulnerability Assessment, Sven Dietrich (Ed.). Springer
International Publishing, Cham, 235–254.
[6] Guillaume Bonfante, Jose Fernandez, Jean-Yves Marion, Benjamin Rouxel, Fab-
rice Sabatier, and Aurélien Thierry. 2015. CoDisasm: Medium Scale Con- [28]
catic Disassembly of Self-Modifying Binaries with Overlapping Instructions.
In Proceedings of the 22Nd ACM SIGSAC Conference on Computer and Com-
munications Security (CCS ’15). ACM, New York, NY, USA, 745–756. https:
//doi.org/10.1145/2810103.2813627
[7] Erik Bosman, Asia Slowinska, and Herbert Bos. 2011. Minemu: The World’s [29]
Fastest Taint Tracker. In Proceedings of the 14th International Conference on Recent
16
Advances in Intrusion Detection (RAID’11). Springer-Verlag, Berlin, Heidelberg,
1–20. https://doi.org/10.1007/978-3-642-23644-0 1
Jim Chow, Tal Garfinkel, and Peter M. Chen. 2008. Decoupling Dynamic Pro-
gram Analysis from Execution in Virtual Environments. In USENIX 2008 Annual
Technical Conference (ATC’08). USENIX Association, Berkeley, CA, USA, 1–14.
http://dl.acm.org/citation.cfm?id=1404014.1404015
Cristina Cifuentes and K. John Gough. 1995. Decompilation of Binary Pro-
grams. Softw. Pract. Exper. 25, 7 (July 1995), 811–829. https://doi.org/10.1002/
spe.4380250706
Artem Dinaburg, Paul Royal, Monirul Sharif, and Wenke Lee. 2008. Ether:
Malware Analysis via Hardware Virtualization Extensions. In Proceedings of the
15th ACM Conference on Computer and Communications Security (CCS ’08). ACM,
New York, NY, USA, 51–62. https://doi.org/10.1145/1455770.1455779
Brendan Dolan-Gavitt, Josh Hodosh, Patrick Hulin, Tim Leek, and Ryan Whelan.
2015. Repeatable Reverse Engineering with PANDA. In Proceedings of the 5th
Program Protection and Reverse Engineering Workshop (PPREW-5). ACM, New
York, NY, USA, Article 4, 11 pages. https://doi.org/10.1145/2843859.2843867
Thomas Dullien and Rolf Rolles. 2005. Graph-based comparison of executable
objects (english version). SSTIC 5 (01 2005).
Mike Van Emmerik. 1994. Signatures for Library Functions in Executable Files.
Halvar Flake. 2004. Structural Comparison of Executable Objects. In Detection
of Intrusions and Malware & Vulnerability Assessment, GI SIG SIDAR Workshop,
DIMVA 2004, Dortmund, Germany, July 6.7, 2004, Proceedings. 161–173. http:
//subs.emis.de/LNI/Proceedings/Proceedings46/article2970.html
Fanglu Guo, Peter Ferrie, and Tzi-cker Chiueh. 2008. A Study of the Packer
Problem and Its Solutions. In Recent Advances in Intrusion Detection, Richard
Lippmann, Engin Kirda, and Ari Trachtenberg (Eds.). Springer Berlin Heidelberg,
Berlin, Heidelberg, 98–115.
Andrew Henderson, Lok-Kwong Yan, Xunchao Hu, Aravind Prakash, Heng
Yin, and Stephen McCamant. 2017. DECAF: A Platform-Neutral Whole-System
Dynamic Binary Analysis Platform. IEEE Trans. Softw. Eng. 43, 2 (Feb. 2017),
164–184. https://doi.org/10.1109/TSE.2016.2589242
Xin Hu, Sandeep Bhatkar, Kent Griffin, and Kang G. Shin. 2013. MutantX-S:
Scalable Malware Clustering Based on Static Features. In Proceedings of the 2013
USENIX Conference on Annual Technical Conference (USENIX ATC’13). USENIX
Association, Berkeley, CA, USA, 187–198. http://dl.acm.org/citation.cfm?id=
2535461.2535485
Thomas Hungenberg and Matthias Eckert. 2018. http://www.inetsim.org/.
Kyriakos K. Ispoglou and Mathias Payer. 2016. malWASH: Washing Malware
to Evade Dynamic Analysis. In 10th USENIX Workshop on Offensive Technolo-
gies (WOOT 16). USENIX Association, Austin, TX. https://www.usenix.org/
conference/woot16/workshop-program/presentation/ispoglou
Emily R. Jacobson, Nathan Rosenblum, and Barton P. Miller. 2011. Labeling
Library Functions in Stripped Binaries. In Proceedings of the 10th ACM SIGPLAN-
SIGSOFT Workshop on Program Analysis for Software Tools (PASTE ’11). ACM,
New York, NY, USA, 1–8. https://doi.org/10.1145/2024569.2024571
Sébastien Josse. 2007. Secure and advanced unpacking using computer emulation.
Journal in Computer Virology 3, 3 (01 Aug 2007), 221–236. https://doi.org/10.
1007/s11416-007-0046-0
S. Josse. 2014. Malware Dynamic Recompilation. In 2014 47th Hawaii International
Conference on System Sciences. 5080–5089. https://doi.org/10.1109/HICSS.2014.
624
Min Gyung Kang, Pongsin Poosankam, and Heng Yin. 2007. Renovo: A Hidden
Code Extractor for Packed Executables. In Proceedings of the 2007 ACM Workshop
on Recurring Malcode (WORM ’07). ACM, New York, NY, USA, 46–53. https:
//doi.org/10.1145/1314389.1314399
Yuhei Kawakoya, Makoto Iwamura, and Jun Miyoshi. 2018. Taint-assisted IAT
Reconstruction against Position Obfuscation. JIP 26 (2018), 813–824. https:
//doi.org/10.2197/ipsjjip.26.813
[25] Yuhei Kawakoya, Eitaro Shioji, Makoto Iwamura, and Jun Miyoshi. 2019. API
Chaser: Taint-Assisted Sandbox for Evasive Malware Analysis. Journal of Infor-
mation Processing 27 (2019), 297–314. https://doi.org/10.2197/ipsjjip.27.297
Johannes Kinder and Helmut Veith. 2008. Jakstab: A Static Analysis Platform
for Binaries. In Proceedings of the 20th International Conference on Computer
Aided Verification (CAV ’08). Springer-Verlag, Berlin, Heidelberg, 423–427. https:
//doi.org/10.1007/978-3-540-70545-1 40
Clemens Kolbitsch, Engin Kirda, and Christopher Kruegel. 2011. The Power of
Procrastination: Detection and Mitigation of Execution-stalling Malicious Code.
In Proceedings of the 18th ACM Conference on Computer and Communications
Security (CCS ’11). ACM, New York, NY, USA, 285–296. https://doi.org/10.1145/
2046707.2046740
David Korczynski. 2016. RePEconstruct: reconstructing binaries with self-
modifying code and import address table destruction. In IEEE 11th Interna-
tional Conference on Malicious and Unwanted Software, MALWARE 2016, Fa-
jardo, PR, USA, October 18-21, 2016. IEEE Computer Society, 31–38. https:
//doi.org/10.1109/MALWARE.2016.7888727
David Korczynski and Heng Yin. 2017. Capturing Malware Propagations with
Code Injections and Code-Reuse Attacks. In Proceedings of the 2017 ACM SIGSAC
 Conference on Computer and Communications Security, CCS 2017, Dallas, TX,
USA, October 30 - November 03, 2017, Bhavani M. Thuraisingham, David Evans,
Tal Malkin, and Dongyan Xu (Eds.). ACM, 1691–1708. https://doi.org/10.1145/
3133956.3134099
[30] Christopher Kruegel, Engin Kirda, Darren Mutz, William Robertson, and Gio-
vanni Vigna. 2006. Polymorphic Worm Detection Using Structural Information of
Executables. In Proceedings of the 8th International Conference on Recent Advances
in Intrusion Detection (RAID’05). Springer-Verlag, Berlin, Heidelberg, 207–226.
https://doi.org/10.1007/11663812 11
[31] Christopher Kruegel, William Robertson, Fredrik Valeur, and Giovanni Vigna.
2004. Static Disassembly of Obfuscated Binaries. In Proceedings of the 13th Confer-
ence on USENIX Security Symposium - Volume 13 (SSYM’04). USENIX Association,
Berkeley, CA, USA, 18–18. http://dl.acm.org/citation.cfm?id=1251375.1251393
[32] Yujia Li, Chenjie Gu, Thomas Dullien, Oriol Vinyals, and Pushmeet Kohli. 2019.
Graph Matching Networks for Learning the Similarity of Graph Structured
Objects. https://openreview.net/forum?id=S1xiOjC9F7
[33] L. Martignoni, M. Christodorescu, and S. Jha. 2007. OmniUnpack: Fast, Generic,
and Safe Unpacking of Malware. In Twenty-Third Annual Computer Security
Applications Conference (ACSAC 2007). 431–441. https://doi.org/10.1109/ACSAC.
2007.15
[34] Mario Polino, Andrea Continella, Sebastiano Mariani, Stefano D’Alessio, Lorenzo
Fontana, Fabio Gritti, and Stefano Zanero. 2017. Measuring and Defeating Anti-
Instrumentation-Equipped Malware. In Detection of Intrusions and Malware,
and Vulnerability Assessment, Michalis Polychronakis and Michael Meier (Eds.).
Springer International Publishing, Cham, 73–96.
[35] Georgios Portokalidis, Asia Slowinska, and Herbert Bos. 2006. Argos: an Emula-
tor for Fingerprinting Zero-Day Attacks. In Proc. ACM SIGOPS EUROSYS’2006.
Leuven, Belgium.
[36] Symantec Security Response. 2015. W32.Ramnit analysis.
[37] Nathan E. Rosenblum, Xiaojin Zhu, Barton P. Miller, and Karen Hunt. 2008.
Learning to Analyze Binary Computer Code. In Proceedings of the Twenty-Third
AAAI Conference on Artificial Intelligence, AAAI 2008, Chicago, Illinois, USA, July
13-17, 2008. 798–804. http://www.aaai.org/Library/AAAI/2008/aaai08-127.php
[38] Paul Royal, Mitch Halpin, David Dagon, Robert Edmonds, and Wenke Lee. 2006.
PolyUnpack: Automating the Hidden-Code Extraction of Unpack-Executing
Malware. In Proceedings of the 22Nd Annual Computer Security Applications
Conference (ACSAC ’06). IEEE Computer Society, Washington, DC, USA, 289–300.
https://doi.org/10.1109/ACSAC.2006.38
[39] Monirul Sharif, Vinod Yegneswaran, Hassen Saidi, Phillip Porras, and Wenke Lee.
2008. Eureka: A Framework for Enabling Static Malware Analysis. In Computer
Security - ESORICS 2008, Sushil Jajodia and Javier Lopez (Eds.). Springer Berlin
Heidelberg, Berlin, Heidelberg, 481–500.
[40] Richard L. Sites, Anton Chernoff, Matthew B. Kirk, Maurice P. Marks, and Scott G.
Robinson. 1993. Binary Translation. Commun. ACM 36, 2 (Feb. 1993), 69–81.
https://doi.org/10.1145/151220.151227
[41] Wei Song, Heng Yin, Chang Liu, and Dawn Song. 2018. DeepMem: Learning
Graph Neural Network Models for Fast and Robust Memory Forensic Analysis. In
Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications
Security, CCS 2018, Toronto, ON, Canada, October 15-19, 2018. 606–618. https:
//doi.org/10.1145/3243734.3243813
[42] Xabier Ugarte-pedrero, Davide Balzarotti, Igor Santos, and Pablo G. Bringas.
[n.d.]. SoK: Deep Packer Inspection: A Longitudinal Study of the Complexity of
Run-Time Packers.
[43] Heng Yin, Dawn Song, Manuel Egele, Christopher Kruegel, and Engin Kirda.
2007. Panorama: Capturing System-wide Information Flow for Malware De-
tection and Analysis. In Proceedings of the 14th ACM Conference on Computer
and Communications Security (CCS ’07). ACM, New York, NY, USA, 116–127.
https://doi.org/10.1145/1315245.1315261

17