A method for detecting obfuscated calls in malicious binaries

  title={A method for detecting obfuscated calls in malicious binaries},
  author={Arun Lakhotia and Eric Uday Kumar and Michael Venable},
  journal={IEEE Transactions on Software Engineering},
Information about calls to the operating system (or kernel libraries) made by a binary executable may be used to determine whether the binary is malicious. Being aware of this approach, malicious programmers hide this information by making such calls without using the call instruction. For instance, the call addr instruction may be replaced by two push instructions and a ret instruction, the first push pushes the address of instruction after the ret instruction, and the second push pushes the… CONTINUE READING
Highly Cited
This paper has 52 citations. REVIEW CITATIONS


Publications citing this paper.
Showing 1-10 of 34 extracted citations

52 Citations

Citations per Year
Semantic Scholar estimates that this publication has 52 citations based on the available data.

See our FAQ for additional information.


Publications referenced by this paper.
Showing 1-10 of 23 references

Abstract Interpretation and Static Analysis

D. Schmidt
http:// www.cis.ksu.edu/santos/schmidt/Escuela03/, Feb. 2005. • 2005
View 1 Excerpt

Phylogeny Using Maximal pi-Patterns

A. Lakhotia, M. E. Karim, A. Walenstein, L. Parida
Proc. 14th EICAR Conf., 2005. • 2005
View 1 Excerpt

Semantics-aware malware detection

2005 IEEE Symposium on Security and Privacy (S&P'05) • 2005
View 1 Excerpt

Imposing Order on Program Statements and Its Implication to AV Scanners

A. Lakhotia, M. Mohammed
Proc. 11th IEEE Working Conf. Reverse Eng., 2004. • 2004
View 2 Excerpts

Win32 Disassembler

S. Cho
http://www.geocities.com/ ~sangcho/disasm.html, Nov. 2004. • 2004
View 1 Excerpt

Similar Papers

Loading similar papers…