{"id":"https://openalex.org/W1984999133","doi":"https://doi.org/10.1109/malware.2010.5665794","title":"Memory behavior-based automatic malware unpacking in stealth debugging environment","display_name":"Memory behavior-based automatic malware unpacking in stealth debugging environment","publication_year":2010,"publication_date":"2010-10-01","ids":{"openalex":"https://openalex.org/W1984999133","doi":"https://doi.org/10.1109/malware.2010.5665794","mag":"1984999133"},"language":"en","primary_location":{"id":"doi:10.1109/malware.2010.5665794","is_oa":false,"landing_page_url":"https://doi.org/10.1109/malware.2010.5665794","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2010 5th International Conference on Malicious and Unwanted Software","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5058925200","display_name":"Yuhei Kawakoya","orcid":"https://orcid.org/0009-0005-9310-0493"},"institutions":[{"id":"https://openalex.org/I2251713219","display_name":"NTT (Japan)","ror":"https://ror.org/00berct97","country_code":"JP","type":"company","lineage":["https://openalex.org/I2251713219"]}],"countries":["JP"],"is_corresponding":true,"raw_author_name":"Yuhei Kawakoya","raw_affiliation_strings":["NTT Information Sharing and Platform Laboratories, Musashino, Tokyo, Japan","NTT Information Sharing and Platform Laboratories, 9-11, Midori-Cho 3-Chome, Musashino-Shi, Tokyo 180-8585, Japan"],"affiliations":[{"raw_affiliation_string":"NTT Information Sharing and Platform Laboratories, Musashino, Tokyo, Japan","institution_ids":["https://openalex.org/I2251713219"]},{"raw_affiliation_string":"NTT Information Sharing and Platform Laboratories, 9-11, Midori-Cho 3-Chome, Musashino-Shi, Tokyo 180-8585, Japan","institution_ids":["https://openalex.org/I2251713219"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5102143401","display_name":"Makoto Iwamura","orcid":null},"institutions":[{"id":"https://openalex.org/I2251713219","display_name":"NTT (Japan)","ror":"https://ror.org/00berct97","country_code":"JP","type":"company","lineage":["https://openalex.org/I2251713219"]}],"countries":["JP"],"is_corresponding":false,"raw_author_name":"Makoto Iwamura","raw_affiliation_strings":["NTT Information Sharing and Platform Laboratories, Musashino, Tokyo, Japan","NTT Information Sharing and Platform Laboratories, 9-11, Midori-Cho 3-Chome, Musashino-Shi, Tokyo 180-8585, Japan"],"affiliations":[{"raw_affiliation_string":"NTT Information Sharing and Platform Laboratories, Musashino, Tokyo, Japan","institution_ids":["https://openalex.org/I2251713219"]},{"raw_affiliation_string":"NTT Information Sharing and Platform Laboratories, 9-11, Midori-Cho 3-Chome, Musashino-Shi, Tokyo 180-8585, Japan","institution_ids":["https://openalex.org/I2251713219"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5100836888","display_name":"Mitsutaka Itoh","orcid":null},"institutions":[{"id":"https://openalex.org/I2251713219","display_name":"NTT (Japan)","ror":"https://ror.org/00berct97","country_code":"JP","type":"company","lineage":["https://openalex.org/I2251713219"]}],"countries":["JP"],"is_corresponding":false,"raw_author_name":"Mitsutaka Itoh","raw_affiliation_strings":["NTT Information Sharing and Platform Laboratories, Musashino, Tokyo, Japan","NTT Information Sharing and Platform Laboratories, 9-11, Midori-Cho 3-Chome, Musashino-Shi, Tokyo 180-8585, Japan"],"affiliations":[{"raw_affiliation_string":"NTT Information Sharing and Platform Laboratories, Musashino, Tokyo, Japan","institution_ids":["https://openalex.org/I2251713219"]},{"raw_affiliation_string":"NTT Information Sharing and Platform Laboratories, 9-11, Midori-Cho 3-Chome, Musashino-Shi, Tokyo 180-8585, Japan","institution_ids":["https://openalex.org/I2251713219"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":3,"corresponding_author_ids":["https://openalex.org/A5058925200"],"corresponding_institution_ids":["https://openalex.org/I2251713219"],"apc_list":null,"apc_paid":null,"fwci":2.0532,"has_fulltext":false,"cited_by_count":25,"citation_normalized_percentile":{"value":0.86379883,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":{"min":89,"max":99},"biblio":{"volume":null,"issue":null,"first_page":"39","last_page":"46"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":1.0,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":1.0,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.9990000128746033,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12034","display_name":"Digital and Cyber Forensics","score":0.996999979019165,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.8794092535972595},{"id":"https://openalex.org/keywords/malware","display_name":"Malware","score":0.8692651391029358},{"id":"https://openalex.org/keywords/unpacking","display_name":"Unpacking","score":0.8643503189086914},{"id":"https://openalex.org/keywords/debugging","display_name":"Debugging","score":0.848903477191925},{"id":"https://openalex.org/keywords/executable","display_name":"Executable","score":0.7471297979354858},{"id":"https://openalex.org/keywords/debugger","display_name":"Debugger","score":0.7387458086013794},{"id":"https://openalex.org/keywords/malware-analysis","display_name":"Malware analysis","score":0.6464248895645142},{"id":"https://openalex.org/keywords/operating-system","display_name":"Operating system","score":0.5823555588722229},{"id":"https://openalex.org/keywords/code","display_name":"Code (set theory)","score":0.5627747178077698},{"id":"https://openalex.org/keywords/process","display_name":"Process (computing)","score":0.5113431811332703},{"id":"https://openalex.org/keywords/programming-language","display_name":"Programming language","score":0.463580846786499},{"id":"https://openalex.org/keywords/cryptovirology","display_name":"Cryptovirology","score":0.4281652271747589},{"id":"https://openalex.org/keywords/virtual-machine","display_name":"Virtual machine","score":0.42599251866340637},{"id":"https://openalex.org/keywords/embedded-system","display_name":"Embedded system","score":0.3296734690666199}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.8794092535972595},{"id":"https://openalex.org/C541664917","wikidata":"https://www.wikidata.org/wiki/Q14001","display_name":"Malware","level":2,"score":0.8692651391029358},{"id":"https://openalex.org/C2777256151","wikidata":"https://www.wikidata.org/wiki/Q7897273","display_name":"Unpacking","level":2,"score":0.8643503189086914},{"id":"https://openalex.org/C168065819","wikidata":"https://www.wikidata.org/wiki/Q845566","display_name":"Debugging","level":2,"score":0.848903477191925},{"id":"https://openalex.org/C160145156","wikidata":"https://www.wikidata.org/wiki/Q778586","display_name":"Executable","level":2,"score":0.7471297979354858},{"id":"https://openalex.org/C2778485113","wikidata":"https://www.wikidata.org/wiki/Q193231","display_name":"Debugger","level":3,"score":0.7387458086013794},{"id":"https://openalex.org/C2779395397","wikidata":"https://www.wikidata.org/wiki/Q15731404","display_name":"Malware analysis","level":3,"score":0.6464248895645142},{"id":"https://openalex.org/C111919701","wikidata":"https://www.wikidata.org/wiki/Q9135","display_name":"Operating system","level":1,"score":0.5823555588722229},{"id":"https://openalex.org/C2776760102","wikidata":"https://www.wikidata.org/wiki/Q5139990","display_name":"Code (set theory)","level":3,"score":0.5627747178077698},{"id":"https://openalex.org/C98045186","wikidata":"https://www.wikidata.org/wiki/Q205663","display_name":"Process (computing)","level":2,"score":0.5113431811332703},{"id":"https://openalex.org/C199360897","wikidata":"https://www.wikidata.org/wiki/Q9143","display_name":"Programming language","level":1,"score":0.463580846786499},{"id":"https://openalex.org/C84525096","wikidata":"https://www.wikidata.org/wiki/Q3506050","display_name":"Cryptovirology","level":3,"score":0.4281652271747589},{"id":"https://openalex.org/C25344961","wikidata":"https://www.wikidata.org/wiki/Q192726","display_name":"Virtual machine","level":2,"score":0.42599251866340637},{"id":"https://openalex.org/C149635348","wikidata":"https://www.wikidata.org/wiki/Q193040","display_name":"Embedded system","level":1,"score":0.3296734690666199},{"id":"https://openalex.org/C41895202","wikidata":"https://www.wikidata.org/wiki/Q8162","display_name":"Linguistics","level":1,"score":0.0},{"id":"https://openalex.org/C177264268","wikidata":"https://www.wikidata.org/wiki/Q1514741","display_name":"Set (abstract data type)","level":2,"score":0.0},{"id":"https://openalex.org/C138885662","wikidata":"https://www.wikidata.org/wiki/Q5891","display_name":"Philosophy","level":0,"score":0.0}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1109/malware.2010.5665794","is_oa":false,"landing_page_url":"https://doi.org/10.1109/malware.2010.5665794","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2010 5th International Conference on Malicious and Unwanted Software","raw_type":"proceedings-article"}],"best_oa_location":null,"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":17,"referenced_works":["https://openalex.org/W116627068","https://openalex.org/W1522250664","https://openalex.org/W1579275852","https://openalex.org/W2096921767","https://openalex.org/W2119251836","https://openalex.org/W2126734536","https://openalex.org/W2131726714","https://openalex.org/W2134633067","https://openalex.org/W2140807364","https://openalex.org/W2159702664","https://openalex.org/W4239813889","https://openalex.org/W4243947286","https://openalex.org/W6604743090","https://openalex.org/W6631155369","https://openalex.org/W6677495220","https://openalex.org/W6678810912","https://openalex.org/W7008106486"],"related_works":["https://openalex.org/W2555789008","https://openalex.org/W1558134444","https://openalex.org/W2105334567","https://openalex.org/W2469507153","https://openalex.org/W1977330409","https://openalex.org/W2902937489","https://openalex.org/W2008790809","https://openalex.org/W2489398155","https://openalex.org/W2504756161","https://openalex.org/W2998557533"],"abstract_inverted_index":{"Malware":[0],"analysts":[1],"have":[2,160,188],"to":[3,13,27],"first":[4],"extract":[5],"hidden":[6,42],"original":[7,43,82,96,113,132,211,217],"code":[8,64,97,114,133,218],"from":[9,134],"a":[10,23,76,164,176],"packed":[11],"executable":[12],"analyze":[14],"malware":[15,19,47,103,195],"because":[16],"most":[17],"recent":[18],"is":[20,67,115],"obfuscated":[21,196],"by":[22,30,180,193,197],"packer":[24],"in":[25,48,104,142],"order":[26],"disrupt":[28],"analysis":[29],"debuggers":[31],"and":[32,56,150,170,214],"dis-assemblers.":[33],"There":[34],"are":[35,100],"several":[36],"studies":[37],"on":[38,102,139],"automatic":[39],"extraction":[40],"of":[41,110,145,175,184,219],"code,":[44],"which":[45],"executes":[46],"an":[49,125],"isolated":[50],"environment,":[51],"monitors":[52],"write":[53],"memory":[54,73,147,173],"accesses":[55,174],"instruction":[57],"fetches":[58],"at":[59],"runtime,":[60],"determines":[61],"if":[62],"the":[63,81,85,95,105,111,130,140,143,152,185,210,216,220],"under":[65],"execution":[66],"newly":[68],"generated,":[69],"then":[70],"dumps":[71],"specific":[72],"areas":[74],"into":[75],"file":[77],"as":[78,92],"candidates":[79,93,137],"for":[80,94,168],"code.":[83],"However,":[84],"conventional":[86],"techniques":[87],"output":[88],"many":[89,136],"dump":[90],"files":[91],"when":[98],"experiments":[99],"conducted":[101],"wild.":[106],"Thus,":[107],"manual":[108],"identification":[109],"true":[112,131],"needed.":[116],"In":[117],"this":[118,157],"paper,":[119],"we":[120,159],"present":[121],"\u201cmemory":[122],"behavior-based":[123],"unpacking,\u201d":[124],"algorithm":[126],"that":[127,204],"automatically":[128],"identifies":[129],"among":[135],"depending":[138],"change":[141],"trend":[144],"accessed":[146],"addresses":[148],"before":[149],"after":[151],"dumping":[153],"points.":[154],"To":[155],"achieve":[156],"algorithm,":[158],"implemented":[161],"Stealth":[162],"Debugger,":[163],"virtual":[165],"machine":[166],"monitor":[167],"debugging":[169],"monitoring":[171],"all":[172],"process":[177],"without":[178],"interruption":[179],"any":[181],"anti-debug":[182],"functions":[183],"malware.":[186,221],"We":[187],"evaluated":[189],"our":[190,205],"proposed":[191,206],"system":[192,207],"using":[194],"various":[198],"common":[199],"packers.":[200],"The":[201],"results":[202],"show":[203],"successfully":[208],"finds":[209],"entry":[212],"points":[213],"obtains":[215]},"counts_by_year":[{"year":2026,"cited_by_count":1},{"year":2025,"cited_by_count":1},{"year":2024,"cited_by_count":1},{"year":2023,"cited_by_count":1},{"year":2022,"cited_by_count":1},{"year":2021,"cited_by_count":1},{"year":2020,"cited_by_count":1},{"year":2019,"cited_by_count":5},{"year":2018,"cited_by_count":2},{"year":2016,"cited_by_count":1},{"year":2015,"cited_by_count":2},{"year":2014,"cited_by_count":2},{"year":2013,"cited_by_count":4},{"year":2012,"cited_by_count":2}],"updated_date":"2026-03-25T13:04:00.132906","created_date":"2025-10-10T00:00:00"}