Research Article
All-in-One Framework for Detection, Unpacking, and Verification for Malware Analysis
Algorithm 2
Dynamic unpacking algorithm.
| | Input: A PE file | | | Output: OEP //the start address of the unpacked original file. | | | begin | | (1) | Measure the entropy value of each section; | | (2) | while the process is not reached to the end do | | (3) | IP the current instruction pointer; | | (4) | if IP’s address current section’s last address then return Not-Found; | | (5) | else if IP is JMP or CJMP or RETN then | | (6) | Execute instructions until IP; | | (7) | DstAddr the next instruction address; | | (8) | if IP IP-Histroy and DstAddr DstAddr-History then | | (9) | Store IP and DstAddr into each history; | | (10) | if DstAddr is out of the file then return Not-Found; | | (11) | else | | (12) | Re-calculate the entropy value of each section; | | (13) | if Entropy change is stable and DstAddr is in the different section then | | (14) | return DstAddr; | | (15) | end-if | | (16) | end-if | | (17) | end-if | | (18) | end-while | | (19) | return Not-Found; | | | end |
|
