Automatic static unpacking of malware binaries

Kevin Coogan, Saumya Debray, Tasneem Kaochar, Gregg Townsend

Research output: Chapter in Book/Report/Conference proceedingConference contribution

51 Scopus citations


Current malware is often transmitted in packed or encrypted form to prevent examination by anti-virus software. To analyze new malware, researchers typically resort to dynamic code analysis techniques to unpack the code for examination. Unfortunately, these dynamic techniques are susceptible to a variety of anti-monitoring defenses, as well as "time bombs" or "logic bombs," and can be slow and tedious to identify and disable. This paper discusses an alternative approach that relies on static analysis techniques to automate this process. Alias analysis can be used to identify the existence of unpacking, static slicing can identify the unpacking code, and control flow analysis can be used to identify and neutralize dynamic defenses. The identified unpacking code can be instrumented and transformed, then executed to perform the unpacking. We present a working prototype that can handle a variety of malware binaries, packed with both custom and commercial packers, and containing several examples of dynamic defenses.

Original languageEnglish (US)
Title of host publicationProceedings - 16th Working Conference on Reverse Engineering, WCRE 2009
Number of pages10
StatePublished - 2009
Externally publishedYes
Event16th Working Conference on Reverse Engineering, WCRE 2009 - Lille, France
Duration: Oct 13 2009Oct 16 2009

Publication series

NameProceedings - Working Conference on Reverse Engineering, WCRE
ISSN (Print)1095-1350


Other16th Working Conference on Reverse Engineering, WCRE 2009


  • Analysis
  • Dynamic defenses
  • Malware
  • Static unpacking

ASJC Scopus subject areas

  • Software


Dive into the research topics of 'Automatic static unpacking of malware binaries'. Together they form a unique fingerprint.

Cite this