A unpacking and reconstruction system-AGUnpacker

Malware are packed to create new variants in order to evade signature-based detector or reverse engineering(RE). According to the primary behaviors of packing, which are code obfuscation,PE formats modification and Anti-technique, a solution-AGUpacker is proposed. For code obfuscation, AGUpacker decides when the object program has decrypted itself completely in memory on the basis of stack balance role, intersection jump role and the characteristics of entrance. For PE formats modification, after locating Import Address Table (IAT) by monitoring all of the call instructions, a forensics tracing technique to restore the items in IAT, which are unmatched with Export Table items of DLL, is presented to obtain a runnable binary. In order to bypass anti-technique, our system is implemented by taking over exceptions through common ways. Empirical testing indicates that AGUpacker can deal with both known and unknown packer independent of packing algorithms and it is faster than existing unpackers such as PolyUnpack significantly.