Abstract: A method is presented for analyzing an original software program as a potentially evasive malware. The method may comprise discovering at least one revealed instruction in the original software program, where the revealed instructions are not executed when the original software program is run without modification; modifying the original software program to create a modified program that will execute at least one revealed instruction when the modified program is run; and exploring the at least one revealed instruction by running the modified program.
Abstract: A hybrid static/dynamic binary rewrite method is presented, comprising: a one-time configuration step for instrumentation of an unmodified executable binary, invoking the executable binary by copying the unmodified executable binary into a system memory image and running the binary from the system memory image, and rewriting the system memory image by inserting at a safe location one or more new instructions in place of existing instructions, where the one or more new instructions transfer execution control to instrumentation instructions located elsewhere within the system memory image, and where the instrumentation instructions that were at least in part not contained in the unmodified executable binary.