Executable compression, also known as packing, is any means of compressing an executable file and combining the compressed data with decompression code into a single executable. Packing is designed to be used to decrease storage for large size files. Recently, the approach has also been used to hide harmful code known as malwares. It is thus of importance to decide if a file has been packed, and if yes by which packing algorithm. The main objective of this work is to gather and combine existing tools to identify which packer has been applied to a given file. For doing so, the student will extract static features from the binary of the file and then use rule-based algorithms to establish a matching with potential packer. Dynamic features (i.e., information obtained at execution time) as well as I.A. will also be applied under sandbox environment. One of the main challenges will be to define the features, another one will be the combination of tools. If time permits, the resulting tool will be embedded into a web application.
Note: this work will extend and improve a work that has recently been accepted : Title: Effective, Efficient, and Robust Packing Detection and Classification Journal: Computers & Security
Work in collaboration with CISCO.