Abstract—Nearly every malware sample is sheathed in an
executable protection which must be removed before static
analyses can proceed. Existing research has studied automatically
unpacking certain protections, but has not yet caught up
with many modern techniques. Contrary to prior assumptions,
protected programs do not always have the property that they
are reverted to a fully unprotected state at some point during the
course of their execution. This work provides a novel technique
for circumventing one of the most problematic features of modern
software protections, so-called virtualization obfuscation. The
technique enables analysis of heretofore impenetrable malware
more here................https://www.usenix.org/legacy/event/woot09/tech/full_papers/rolles.pdf
executable protection which must be removed before static
analyses can proceed. Existing research has studied automatically
unpacking certain protections, but has not yet caught up
with many modern techniques. Contrary to prior assumptions,
protected programs do not always have the property that they
are reverted to a fully unprotected state at some point during the
course of their execution. This work provides a novel technique
for circumventing one of the most problematic features of modern
software protections, so-called virtualization obfuscation. The
technique enables analysis of heretofore impenetrable malware
more here................https://www.usenix.org/legacy/event/woot09/tech/full_papers/rolles.pdf