Democratizing Generic Malware Unpacking

A significant obstacle to efficient analysis of malware are packers that encrypt or otherwise obfuscate malicious code. However, despite the prominence of packers, the research field about their countermeasures, i.e. generic malware unpackers, is currently disorganized and governed by closed-source, for-profit solutions. Furthermore, it lacks a unified problem definition, requirements of what exactly a generic unpacker needs to be able to do, accessible data sets to compare solutions, and a baseline open-source implementation of a generic unpacker. This situation has made the field very unattractive for research groups with typically limited time and funding, as they essentially have to start from scratch, further exacerbating the dominance of forprofit solutions. In this paper, our aim is to change this state of affairs by providing the fundamentals needed to encourage new research. Therefore, we first show through a literature review that there is currently no unified definition of malware unpacking. Using the most common parts of previous approaches, we then suggest a unified definition for malware unpacking and a set of requirements that a generic malware unpacker needs to fulfill. We further contribute an open-source implementation of a generic malware unpacker based on them, as well as an evaluation of it on two publicly accessible data sets. As shown in this paper, our implementation was able to unpack 92 % of the executable samples of these data sets. We hope that by providing the community with these tools, we can help to rethink the field of malware unpacking: Away from closed-source forprofit governance towards a more democratic, open-source dominated field.