A common approach that malware takes to hide itself is packing. Traditionally, packing was a means to compress your executable, then unpack and execute it at run time. Packing can also be used as an obfuscation technique for those who wish to hide their executable code. For a while I have been mulling over how to write a generic unpacker. A general rule I came up with is that the unpacked code would have to be written to memory then that memory would be executed. Since I was looking at a sample that did exactly this, I wrote a Pintool to retrieve the unpacked memory regions
read more.....http://vrt-blog.snort.org/2014/04/dynamically-unpacking-malware-with-pin.html
read more.....http://vrt-blog.snort.org/2014/04/dynamically-unpacking-malware-with-pin.html