Decompression of run-time compressed PE-files

Similar documents
Decompression Method For Massive Compressed Files In Mobile Rich Media Applications

Profile-driven Selective Code Compression

SSC 2018 OLYMPIC SELECTION POLICY & PROCEDURES SHORT TRACK

GOLOMB Compression Technique For FPGA Configuration

Data Extraction from Damage Compressed File for Computer Forensic Purposes

Compact Binaries with Code Compression in a Software Dynamic Translator

Fast Software-managed Code Decompression

Olympic Agenda Recommendation 28. Support autonomy

A Novel Decode-Aware Compression Technique for Improved Compression and Decompression

Arithmetic Coding Modification to Compress SMS

A handy systematic method for data hazards detection in an instruction set of a pipelined microprocessor

Reduction of Bitstream Transfer Time in FPGA

An Efficient Code Compression Technique using Application-Aware Bitmask and Dictionary Selection Methods

Compact Binaries with Code Compression in a Software Dynamic Translator

Adaptation of Formation According to Opponent Analysis

Critical Systems Validation

SQL LiteSpeed 3.0 Installation Guide

Online Companion to Using Simulation to Help Manage the Pace of Play in Golf

In this assignment, students will analyze statistics from the U.S. Department of Transportation to determine the safest means of travel.

Instruction Cache Compression for Embedded Systems by Yujia Jin and Rong Chen

AC : MEASUREMENT OF HYDROGEN IN HELIUM FLOW

2600T Series Pressure Transmitters Plugged Impulse Line Detection Diagnostic. Pressure Measurement Engineered solutions for all applications

MANUFACTURING TECHNICAL INSTRUCTIONS - SAFETY FALL HAZARD CONTROL REQUIREMENTS SERIES & NO. SMI - 157

The Future of Hydraulic Control in Water-Systems

Reducing Code Size with Run-time Decompression

EEC 686/785 Modeling & Performance Evaluation of Computer Systems. Lecture 6. Wenbing Zhao. Department of Electrical and Computer Engineering

Fast Floating Point Compression on the Cell BE Processor

#19 MONITORING AND PREDICTING PEDESTRIAN BEHAVIOR USING TRAFFIC CAMERAS

Outline. Terminology. EEC 686/785 Modeling & Performance Evaluation of Computer Systems. Lecture 6. Steps in Capacity Planning and Management

International Journal of Engineering Trends and Technology (IJETT) Volume 18 Number2- Dec 2014

1.1 The size of the search space Modeling the problem Change over time Constraints... 21

Queue analysis for the toll station of the Öresund fixed link. Pontus Matstoms *

A Hybrid Code Compression Technique using Bitmask and Prefix Encoding with Enhanced Dictionary Selection

CASE STUDY. Compressed Air Control System. Industry. Application. Background. Challenge. Results. Automotive Assembly

ITAndroids 2D Soccer Simulation Team Description 2016

Standards of Practice Personal Protective Equipment

- 2 - Companion Web Site. Back Cover. Synopsis

Distributed Control Systems

An Architecture for Combined Test Data Compression and Abort-on-Fail Test

Simulation Model Portability 2 standard support in EuroSim Mk4

SUPPLEMENT MATERIALS

SIDRA INTERSECTION 6.1 UPDATE HISTORY

A IMPROVED VOGEL S APPROXIMATIO METHOD FOR THE TRA SPORTATIO PROBLEM. Serdar Korukoğlu 1 and Serkan Ballı 2.

Using MATLAB with CANoe

A study on the relation between safety analysis process and system engineering process of train control system

PEPSE Modeling of Triple Trains of Turbines Sending Extraction Steam to Triple Trains of Feedwater Heaters

Electronic Recording Using FieldLynx Grade 2 ERD Skills

Diver Training Options

ID: Cookbook: browseurl.jbs Time: 03:38:04 Date: 30/04/2018 Version:

MEMORY is one of the key driving factors in embeddedsystem

Rimage Everest 600 Thermal Retransfer Printer

THE CANDU 9 DISTRffiUTED CONTROL SYSTEM DESIGN PROCESS

Safety Standards Acknowledgement and Consent (SSAC) CAP 1395

ID: Cookbook: browseurl.jbs Time: 15:40:31 Date: 11/04/2018 Version:

Spacecraft Simulation Tool. Debbie Clancy JHU/APL

Rescue Rover. Robotics Unit Lesson 1. Overview

These Terms and conditions apply to audit trails incorporated in weighing and measuring devices and systems 1.

UNIVERSITY OF WATERLOO

Walking aids based on wearable/ubiquitous computing aiming at pedestrian s intelligent transport systems

Understanding safety life cycles

Self-Organizing Signals: A Better Framework for Transit Signal Priority

CHAPTER 1 INTRODUCTION TO RELIABILITY

Lossless Comparison of Nested Software Decompositions

Blackwave Dive Table Creator User Guide

C. Mokkapati 1 A PRACTICAL RISK AND SAFETY ASSESSMENT METHODOLOGY FOR SAFETY- CRITICAL SYSTEMS

Dieter Krenz, Linde, Germany, Manel Serra, Inprocess, Spain, and. Theron Strange, Simplot Phosphates, USA, discuss dynamic process simulation

Wade Reynolds 1 Frank Young 1,2 Peter Gibbings 1,2. University of Southern Queensland Toowoomba 4350 AUSTRALIA

Policy for Evaluation of Certification Maintenance Requirements

The benefits of the extended diagnostics feature. Compact, well-proven, and flexible

Application of Dijkstra s Algorithm in the Evacuation System Utilizing Exit Signs

Matrix-based software test data decompression for systems-on-a-chip

The Junior Young Physicists Tournament JYPT. Regulations

Linear Compressor Suction Valve Optimization

MotoTally. Enduro Event Management and Reporting Application

Recycling Bits in LZ77-Based Compression

CONTROL SOLUTIONS DESIGNED TO FIT RIGHT IN. Energy Control Technologies

ID: Cookbook: browseurl.jbs Time: 10:30:00 Date: 09/01/2018 Version:

Neural Network in Computer Vision for RoboCup Middle Size League

One of the most important gauges on the panel is

A Novel Approach to Predicting the Results of NBA Matches

Evaluation and Improvement of the Roundabouts

ISO INTERNATIONAL STANDARD

COMPARISON STUDY BETWEEN THE EFFICIENY OF THE START TECHNIQUES IN THE ROMANIAN COMPETITIVE SWIMMING

TR Electronic Pressure Regulator. User s Manual

Evaluating the Design Safety of Highway Structural Supports

GUIDELINES FOR THE DUTIES AND ACCREDITATION OF JURORS IN FIP WORLD AND SPECIALISED EXHIBITIONS

TRAFFIC IMPACT STUDY CRITERIA

All TSOs of the Nordic Capacity Calculation Region Proposal for fallback procedures in accordance with Article 44 of Commission Regulation (EU)

Safety of railway control systems: A new Preliminary Risk Analysis approach

ROADS, RAILS, AND RUNNING SHOES: DEVELOPING MULTI-MODAL SIGNAL TIMING FOR A NEW LIGHT RAIL CORRIDOR IN AURORA, COLORADO

Version 3.1.0: New Features/Improvements: Improved Bluetooth connection on Windows 10

ANSI N323A and ANSI N323B

MICROSIMULATION USING FOR CAPACITY ANALYSIS OF ROUNDABOUTS IN REAL CONDITIONS

Every things under control High-Integrity Pressure Protection System (HIPPS)

BOTTOM HINGED FLOOD BARRIER

Courseware Sample F0

Design and Simulation of a Pipelined Decompression Architecture for Embedded Systems

Lab Report Outline the Bones of the Story

MEETPLANNER DESIGN DOCUMENT IDENTIFICATION OVERVIEW. Project Name: MeetPlanner. Project Manager: Peter Grabowski

A SEMI-PRESSURE-DRIVEN APPROACH TO RELIABILITY ASSESSMENT OF WATER DISTRIBUTION NETWORKS

Transcription:

Decompression of run-time compressed PE-files MIROSLAV VNUK, PAVOL NÁVRAT Slovak University of Technology Faculty of Informatics and Information Technologies Ilkovičova 3, 842 6 Bratislava, Slovakia Abstract. In this paper, we tackle the problem of compression and decompression of PE-files (portable executable file format in MS Windows). We analyze decompression methods used in the PE-file unpackers. Based on that, we design a new decompression method, which however uses standard decompression algorithms. Finally, we compare various standard decompression methods to our method and analyze and comment the results that we were able to achieve. Introduction One way that malware writers have been using for many years to disguise their malicious software creations, is to use some compression program. These programs (UPX, ASPack, FSG etc.) typically take a Windows PE-file (or another platform executable file) and compress it. File compressed in such a way decompresses itself in memory at runtime. The PE-files compression presents two problems for antivirus engines. First, to detect a known malware, the file has to be decompressed first to reach the point where signature matching can occur. Second, it is necessary to decompress the file so that strong code analysis heuristics could be applied. There are different methods that can be used to decompress these files to the point at which they can be analyzed further. They have both advantages as disadvantages. There is definitely a room for an improvement. That is why we attempted to devise new decompression method. Reviewing the current state of art, there is not much literature on the subject. There are works on compressing executable files (e.g., [2], [3]) and even some works on decompression methods (e.g., [], [4]) but i

strictly speaking, they do not tackle the problem we are attemtping to do. One reason may perhaps be that the developers of compression/decompression programs prefer not to reveal details of methods the programs are based on. Analysis Stand-alone unpackers Some compression programs (packers), such as UPX, use their own decompression program (unpacker) included within themselves. Within a variety of all packers, they are a minority. Stand-alone unpackers can be useful for research purposes, but they are not appropriate for incorporating into mainstream antivirus products. Possibly, they could be a useful add-on for free antivirus solutions. Running and dumping Another technique that is quite successful in decompression of run-time packed executable files, is running the code and then using a utility (such as Procdump, SoftIce, etc.) to capture the in-memory image (which is at certain moment unpacked) and saving it on a disc. Again, similarly to malware packed files, this is really only useful for research purposes, and this needs to be done in a controlled environment. Disadvantage of this method is that it does not know the right point when a running program is to be stopped and then its image captured in the memory. Single-purpose decompression programs This is the most frequently used method of decompression of run-time packed files (not only PE-files). This method works well when a packer uses the same unpacking code each time. One possibility to write this decompression program is to disassemble a sample of a packed file and just copy the bulk of the resulting assembly language code and edit some parts of this code to be able to self-run (i.e., not run as part of compressed file) with a compressed file as input. ii

The resulting code will run quickly. However, the generated code will be processor-specific, and therefore in order to run on many different processors it will need to be patched to the correct form. Duplicating the original code is not a safe strategy. A typical packer has a minimal error checking. If code from this packer is used to unpack the file, the product can overflow the memory allocated, which may eventually crash the process, crash the entire system, or allow an attacker to gain a complete control of the system. The solution of this most important problem is to encapsulate the code within a defensive environment. Another solution would be to add many error-checking controls (buffer underflow / overflow, etc.). Moreover, if there are used in the code some system calls, these must be substituted by own platform or system independent function calls. Because of specific code is needed for each packer (and perhaps for each version of each packer), the size of the antivirus product will also grow quite large. Code emulator Generic code emulation is a very powerful decompression method. To program a code emulator is not simple. But once we have it, this can greatly speed up the process of adding new unpackers. Often, part of the process of adding a new packer can be skipped, because the emulator can decompress a file automatically. The code emulator loads a program into a virtual environment and then runs until the file is decompressed a point which is defined heuristically, not algorithmically. How the heuristic defines a state when a file is decompressed is the most difficult part of decompression by a code emulator. An interesting thing is that once an emulator is able to cope with anti-debugging tricks used by one unpacker, it can cope with the tricks in PE-files compressed by any other packer.. Code emulation is slower than other decompression methods. This is because the code emulator always has to maintain the entire CPU state. Mixed code emulator + specific routines For particularly tricky packers, it might be a good strategy to mix emulation and specific routines. For instance, emulation might take place until polymorphic encryption key has been found. Then the particular encrypted data can be decrypted by a specific routine. Its use iii

is faster then emulation. Mixing code emulator with specific routines, however, brings additiona complication. Emulator for generic decompression This method is a variation of the code emulation method. The difference is that the code emulator keeps on emulating until it heuristically determines that the code is unpacked. The emulator for generic decompression emulates code until a predefined stop event occurs. The event is defined statically. In addition, some form of resource limitation is needed so that the unpacker will not be running forever. Possible candidates are counting the number of emulated instructions or limiting the emulator time. The new decompression method The main idea Idea of the new decompression method is based on a way of compression and decompression of a various compression programs such as the Winrar, bzip, etc. To decompress, these programs use standard decompression algorithms such as the Huffman algorithm, LZ77, LZW, etc. (see [6]). This idea is also based on the fact that designers of executable files packers can use these standard compression/decompression algorithms (perhaps sometimes slightly modified), too. Based on this observation, we design a new decompression method for executable packed files. They can be decompressed in the following way. First, a compressed file is loaded into memory. Next, a statically (i.e., in advance) defined type of standard decompression algorithm is applied. (Sometimes, before applying decompression, it defines modification of decompression algorithm used in decompression routine and uses it to specify the decompression algorithm). Also, before applying decompression, the ranges of source compressed data and destination uncompressed data have to be specified. New decompression method iv

We take into consideration that usually, the compressed executable files had also been encrypted in one way or another. Our new decompression method works therefore as follows:. Step. Identify and decode encrypted parts of the file following the rules set in advance. 2. Step. Identify places of compressed data and uncompressed target data following the rules set in advance. 3. Step. Decompress identified source compressed data by algorithms defined in advance and then save them to the defined destination. 4. Step. If necessary, go back to steps, 2, or 3. 5. Step. Reconstruct executable file body it mostly includes only setting of new values of header structures (such as setting values of Entry point, Size of image, Section table, Import table, Import directory etc. see.[5]). Encapsulation of the new decompression method into a decompression framework As the next step, we designed an encapsulation of this method into a decompression framework (Figure ). It was designed for general purpose with emphasis on flexibility. The idea is that a decompression program can be written with only use of decompression framework and some framework extensions. Basic structure of the designed framework The core part of the framework s design consists of five main parts: CFileStub, CSectionTable, CFileHeader, CImportDirectoryTable, Abstract_Algorithm. Parts CSectionTable, CFileHeader, CImportDirectoryTable represent main data structures of PE-files, which are needed to write the most of decompression programs to unpack PE-files. CFileStub is an abstract class. It represents body of PE-file, as it is loaded into memory by operating system. By generalizing this class and properly implementing its abstract methods, anyone can create a new decompression program (e.g. CFileStub_FSG_0 implements decompression PE-files packed by FSG version.0). v

Abstract class called Abstract_Algorithm represents an interface to add standard algorithm to the decompression framework. The decompression algorithm that has just been added can be used to decompress via the defined interfaces. However, before using an added decompression algorithm, its specification should be amended to reflect concrete requirements of the compression program in question (e.g. the class FSG20_control_stream specifies modification of the LZ77 algorithm, represented by the class LZ77_algorithm to use in any type of file packed by FSG up to version 2.0.) Abstract_Algorithm CFileStub_FSG_0 CFileStub_FSG_3 CFileStub_AnyOtherFileType LZ77_algorithm AnyOther_algorithm CSectionTable CFileStub Abstract_control_stream_LZ77 0..* «datatype» CSectionTableStrct CFileHeader CImportDirectoryTable FSG20_control_stream AnyOther_control_stream 0..* «datatype» My_sectionTable «union» CFileHeaderStruct -base_field[260] : unsigned char «datatype» CImportDirectoryTableStruct «datatype» stream_data «union»my_pe32_group «union» my_importdirectorytablestruct_hlp -base_field[import_directory_table_length] : unsigned char «datatype» my_pe32 «datatype» my_pe32_plus «datatype» my_importdirectorytablestruct Figure Class diagram of the design of the core part of the framework it represents encapsulation of the designed method to decompress PE-file vi

Advantages and disadvantages of the new designed decompression method Basic properties of the designed decompression method are similar to the single-purpose decompression programs method. One of the advantages is speed of decompression. This is similar to the single-purpose method. However, our decompression methods are written in high level language C++. Contrary to that, the single-purpose method is usually written in an assembly language. Speed is ensured by extensive code optimization used in translators. Single-purpose decompression program method should incorporate also many checks (buffer underflow, overflow, etc.), because developer does not need to know how decompression routine really works. Second advantage is high level of code reusing. This is at the same time the source of the next advantage. Third advantage, as compared to the single-purpose decompression programmethod, is reduction of time necessary to implementation and testing of a new unpacker program. In general, it is not necessary to test the implemented reused decompression algorithms so extensively since they were tested many times before. However, this method has not only advantages, it also has some disadvantages. The first disadvantage is that it is necessary to accomplish a detailed analysis of decompression routine and find out what kind of decompression algorithm (and its modification) is used. Another disadvantage is that it is necessary to design and to implement flexible decompression algorithm, which enables to specify this algorithm in various ways (when we started this work, it was not immediately clear, if it could be done this way in a large scale). Yet another disadvantage is that the designed method constitutes no full alternative of the single-purpose decompression programs method, mostly in cases when there was used a nonstandard compression or a compression similar to encryption. Let us present ant advantage, too. There is simple porting of the method used for creating of decompression programs. Reason for it is that these programs are written in high-level language C++, whereas the single-purpose decompression method is usually written in some assembly language. vii

Examples of implementation of some parts of decompression programs Example of specification of decompression algorithm part This example represents the specification of modification of the LZ77 algorithm - control stream used in decompression of PEDiminisher 0. packer by this algorithm. It does not describe implementation of override abstract methods. It describes only generalized class, which encapsulates the specification of the modification the LZ77 algorithm. class PEDiminisher0 control_stream : public Abstract_control_stream_LZ77 { public: PEDiminisher0 control_stream(); PEDiminisher0 control_stream(byte *source, unsigned long int source_length, BYTE *destination, unsigned long int destination_length); virtual ~PEDiminisher0 control_stream();... Example of specification of decompression algorithm (before its using) and the subsequent decompression This example represents specification of modification the decompression algorithm and the next usage of specified decompression algorithm for decompression of two files compressed by PEDiminisher 0. and FSG 2.0. (Note: the parts specifying modifications of LZ77 algorithm are colored blue, parts defined for limits of source data, and target-uncompressed data are colored green). Example of decompression program for PEDiminisher 0. packer: PEDiminisher0 control_stream *control_stream = new PEDiminisher0 control_stream(&(filebody[reg_ebx + ]), FileBodyLength - reg_ebx -, &(tmp_data[]), reg_ecx - ); algorithm = new LZ77_algorithm(&(FileBody[reg_ebx + ]), FileBodyLength - reg_ebx -, &(tmp_data[]), reg_ecx -, control_stream); if (algorithm->unpack()) { delete control_stream; return ; } Example of decompression program for FSG 2.0 packer: viii

FSG20_control_stream *control_stream = new FSG20_control_stream(&(FileBody[source + ]),source_length -, &(FileBody[destination + ]), destination_length - ); if (destination > FileBodyLength source > FileBodyLength) return ; FileBody[destination] = FileBody[source]; algorithm = new LZ77_algorithm(&(FileBody[source + ]),source_length -,&(FileBody[destination + ]), destination_length -, control_stream); if (algorithm->unpack()) { delete control_stream; return ; } Evaluation The method that we propose in this paper aims at improving software process characteristics of design and implementation of decompression methods. How easy is to design and implement a decompression program is not easy to evaluate. We attempted to go beyond some qualitative evaluating comments based on experience of those who tested the method. As a simple quantitative measure, we tried to collect estimations of development times. We gathered time values from actual development efforts as performed by various programmers. It is clear that such values are afflicted by individual variations of programming performance. Nowadays, programmers productivity can be considered more comparable mainly due to better formal education and more elaborated standard software methods and tools, thus making the quantitative values at least roughly objective. Comparison of the new method to other decompression methods in terms of total development time Using the method of experimental evaluation as described above, we wanted to find out how our method encapsulated by framework compares to development of a decompression program as code emulator on one side, and to development of single-purpose decompression programs on the other side. We were interested in finding out which of the three requires less time when several unpackers are developed, both similar to the first one in the row and also several different ones. As we can see, the most time-consuming method for development of the first (initial) unpacker is code emulator followed by our method encapsulated by decompression framework. As ix

the new packers are developed, the total development time for all packers suggests that the single-purpose decompression program method is least effective and the code emulator is the most effective one. Development time [days] 60 40 20 00 80 60 40 20 0 50 37 st decompresion program development 2 6 0 8 2 0 3 2nd decompresion program (similar) development 3rd decompresion program (different) development Decompression program development Code emulator Designed method encapsulated by framework Single-purpose decompression programs method Figure 2 Graphical comparison of the new to other decompression methods in terms of total development time Comparison of the new method to other decompression methods in term of initial development time By initial development time we understand here time devoted to development that is needed before developing the first unpacker. x

Initial development estimation time [days] 60 40 20 00 80 60 40 20 0 47 29 Decompression type Code emulator Designed method encapsulated by framework Single-purpose decompression programs method Figure 3 Graphical comparison of the new method to other decompression methods in term of initial development time This graph helps understand why code emulator and the new method are quite time-consuming methods as far as developing first few unpackers is concerned. It is caused by the need to prepare the emulator resp. the framework before actual development of the unpackers can start.. Comparison of the new designed method to other decompression methods in terms of decompression routine analysis time. As one can see from the graph, the most time-consuming method for analysis is our new method. The reason is that it is necessary to find out how a decompression routine works and also the type of a decompression algorithm (or its modification). The depicted time of analysis of the code emulator method represents analysis if code emulator cannot emulate some packed files (e.g. it can be caused by occurrence of unsupported system call in decompression routine etc.). xi

Decompression routine analyze estimation time [days] 3,5 3 2,5 2,5 0,5 0 3 Decompresion type Code emulator Designed method encapsulated by framework Single-purpose decompression programs method Figure 4 Graphical comparison of the new method to other decompression methods in term of decompression routine analysis time Time interval of analysis of single-purpose decompression programs method represents the basic analysis of structure decompression routine. Comparison of the new method to other decompression methods in terms of decompression routine implementation time. Viewing the graph (Figure 5), following observations can be made: If the code emulator is implemented sufficiently comprehensively, only little implementation work is required to complete its emulation functionality for the first decompression program to be implemented. For subsequent implementations of similar decompression programs, it is reasonable to assume that no further implementation effort is needed at all. For implementations of different decompression programs, implementation effort should be comparable to that of the first one. Application of our new method encapsulated by framework makes the situation quite different. Our method requires implementing decompression routine whenever a new unpacker is implemented. This makes our approach similar to implementations of single-purpose decompression programs. The essential difference is that our method makes use or already implemented (and tested) standard decompression algorithm and reuses parts of code encapsulated in the xii

framework. The extensive algorithm and code reuse are the reasons for shorter implementation time. Implementation estimation time [days] 7 6 5 4 3 2 0 3 6 st decompresion program implementation 0 2 5 2nd decompresion program (similar) implementation 3 6 3rd decompresion program (different) implementation Decompression program implementation Code emulator Designed method encapsulated by framework Single-purpose decompression programs method Figure 5 Graphical comparison of the new method to other decompression methods in terms of decompression routine implementation time Comparison of the new method to other decompression methods in term of testing time The graph (Figure 6) is similar to the previous graph. This fact can be justified by a general observation: the more implementation, the more testing time is needed. xiii

Testing estimation time [days] 4,5 4 3,5 3 2,5 2,5 0,5 0 2 st decompresion program testing 4 4 4 0 2nd decompresion program (similar) testing Decompression program testing 2 3rd decompresion program (different) testing Code Emulator Designed method encapsulated by framework Single-purpose decompression programs method Figure 6 Graphical comparison of the new method to other decompression methods in terms of testing time Comparison of the new method to other decompression methods in terms of file set decompression time The measurements were performed on a set of various compressed files. Their decompression is supported by all the decompression methods. The measurement results support our hypothesis concerning the properties of our new decompression method encapsulated by framework. In particular, as a positive result, we see the fact that there is only a small difference in decompression times between the designed method encapsulated by framework and single-purpose decompression programs method. This being (roughly) equal, what matters are the advantages of design with decompression framework over traditional single purpose decompression programs. xiv

4500 4258 4000 File set decompression time 3500 3000 2500 2000 500 000 500 0 393 292,5 Code emulator Designed method encapsulated by framework Single-purpose decompression programs method Decompression program type Figure 7 Graphical comparison of the new method to other decompression methods in terms of file set decompression time Conclusion We designed new method of implementing decompression programs. It is based on the idea of creating an encapsulating framework. Designing decompression programs in this way turns out to be a more efficient way of programming while allowing to keep essentially the same level of efficiency of the resulting programs. It was practically verified, tested and the achieved results were compared with other decompression methods. The results suggest the designed method is sufficiently robust, comprehensive, fast to implement and test. Using of the designed method encapsulated in decompression framework depends on what we expect from the decompression program to be implemented. Since our method gives decompression programs of comparable efficiency to single-purpose decompression ones, the positive effects of encapsulating framework are likely to prevail. On the other hand, if the expectations are flexibility and ability to support as many compression programs as possible, code emulator might remain a better choice. Acknowledgements The work was partially supported by Slovak State Programme Building the Information Society, project Tools for knowledge xv

acquisition, organization and maintenance in the environment of heterogeneous information sources, contract number: 025/04. References. Corliss, M.L., Lewis, E.C., Roth, A.: A DISE Implementation of Dynamic Code Decompression. ACM SIGPLAN Notices, Volume 38, Issue 7 (July 2003), 232-243. 2. Debray, S., Evans, W.: Profile-Guided Code Compression. In: Proceedings of the ACM SIGPLAN 2002 Conference on Programming language design and implementation, Berlin 2002, ACM SIGPLAN Notices Volume 37, Issue 5 (May 2002), 95-05. 3. Hoogerbrugge, J., Augustejn, L., Trum, J., van de Wiel, A.R.: A Code Compression System Based on Pipelined Interpreters. Software Practice and Experience, 29,, 005-023- 999. 4. Lefurgy, C., Piccininni, E., Mudge, T.: Reducing Code Size with Run-Time Decompression. In: Sixth International Symposium on High-Performance Computer Architecture, 2000, IEEE Computer Society, 28-230. 5. Shipp, A.: Unpacking strategies. Virus Bulletin conference, September 2004: 6. Microsoft Corporation, Microsoft Portable Executable and Common Object File Format Specification, Revision 6.0 - February 999, [3.5.2005]. http://download.microsoft.com/download/e/b/a/eba050f-a3d- 436b-928-92cdfeae4b45/pecoff.doc 7. Data compression algorithm, [3.5.2005]. http://encyclopedia.thefreedictionary.com/data%20compression %20algorithm. xvi

2024 © sportdocbox.com Privacy Policy | Terms of Service | Feedback