{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,27]],"date-time":"2026-01-27T13:55:10Z","timestamp":1769522110621,"version":"3.49.0"},"reference-count":74,"publisher":"Springer Science and Business Media LLC","issue":"3","license":[{"start":{"date-parts":[[2007,5,4]],"date-time":"2007-05-04T00:00:00Z","timestamp":1178236800000},"content-version":"tdm","delay-in-days":0,"URL":"http:\/\/www.springer.com\/tdm"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["J Comput Virol"],"published-print":{"date-parts":[[2007,7,19]]},"DOI":"10.1007\/s11416-007-0046-0","type":"journal-article","created":{"date-parts":[[2007,5,3]],"date-time":"2007-05-03T16:57:40Z","timestamp":1178211460000},"page":"221-236","source":"Crossref","is-referenced-by-count":17,"title":["Secure and advanced unpacking using computer emulation"],"prefix":"10.1007","volume":"3","author":[{"given":"S\u00e9bastien","family":"Josse","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"297","published-online":{"date-parts":[[2007,5,4]]},"reference":[{"key":"46_CR1","doi-asserted-by":"crossref","unstructured":"Aho, A.V., Corasik, M.J.: Efficient string matching: an aid to bibliographic search. Commun. ACM 18(6), (1975)","DOI":"10.1145\/360825.360855"},{"key":"46_CR2","unstructured":"Argos project Retrieved from: https:\/\/gforce.cs.vu.nl\/projects\/argos\/ , http:\/\/www.few.vu.nl\/argos\/ (2006)"},{"key":"46_CR3","unstructured":"Argos Howto: Howto: setting up Argos the 0day shellcode catcher. Retrieved from http:\/\/www.few.vu.nl\/argos\/ (2006)"},{"key":"46_CR4","unstructured":"AV-Test.org project: Retrieved from http:\/\/www.av-test.org\/ (2006)"},{"key":"46_CR5","unstructured":"Butler, J.: DKOM (Direct Kernel Object Manipulation, slides). Retrieved from: http:\/\/www.blackhat.com\/presentations\/ , (2006)"},{"key":"46_CR6","unstructured":"Bayer, U., Kruegel, C., Kirda, E.: TTAnalyze: A tool for analyzing malware. In: proceedings of the 15th EICAR Conference, Hamburg, Germany, 29 April\u20133 May 2006. In: Broucek, V. et\u00a0al. (ed.) J. Comput. Virol., EICAR 2006 Special Issue, 2006 (2005)"},{"key":"46_CR7","unstructured":"Bos, H.: A personal view on the future of Zero-day Worm Containment (slides) (2006)"},{"key":"46_CR8","unstructured":"Bellard, F.: QEMU, a Fast and Portable Dynamic Translator. In: Proceedings of the 2005 USENIX Conference (2005)"},{"key":"46_CR9","unstructured":"Betz, C.: MemParser tool. Retrieved from: http:\/\/memparser.sourceforge.net\/ (2006)"},{"key":"46_CR10","doi-asserted-by":"crossref","unstructured":"Beaucamp, P., Filiol, E.: On the possibility of practically obfuscating programs: towards a unified perspective of code protection. In: Proceedings of the First International Workshop in Theoretical Virology 2006, Nancy, May 2007, In: Bonfante, G., Marion, J.-Y., (eds.) WTCV\u201906 Special Issue, J. Comput. Virol. 3(1) 2007 (2006)","DOI":"10.1007\/s11416-006-0029-6"},{"key":"46_CR11","unstructured":"Brosch, T., Morgenstern, M.: Runtime packers: the hidden problem. Black Hat 2006 Conference (2006)"},{"key":"46_CR12","unstructured":"Bochs: Bochs, the open source IA-32 emulation project. Available at: http:\/\/bochs.sourceforge.net\/ http:\/\/bochs.sourceforge.net\/ (2007)"},{"key":"46_CR13","unstructured":"Brulez, N.: Anti Reverse Engineering Uncovered. Code Breakers Journal. http:\/\/www.CodeBreakers-Journal.com Previously published at the Honeynet Project, Scan of the Month 33 (2005)"},{"key":"46_CR14","unstructured":"Burdach, M.: An Introduction to Windows memory forensic. Retrieved from: http:\/\/forensic.seccure.net , September 2006 (2005)"},{"key":"46_CR15","unstructured":"Burdach, M.: Digital forensics of the physical memory. Retrieved from: http:\/\/forensic.seccure.net , September 2006 (2005)"},{"key":"46_CR16","unstructured":"Burdach, M.: idetect, ProcEnum, WMFT tools. Retrieved from: http:\/\/forensic.seccure.net , September 2006 (2005)"},{"key":"46_CR17","unstructured":"Burdach, M.: Digital Investigation. Retrieved from: http:\/\/forensic.seccure.net (2006)"},{"key":"46_CR18","unstructured":"Burdach, M.: Finding Digital Evidence In Physical Memory (slides). Retrieved from: http:\/\/forensic.seccure.net (2006)"},{"key":"46_CR19","unstructured":"Butler, J., Hoglund, G.: Rootkits: Subverting the Windows Kernel. Addison Wesley, ISBN 0-321-29431-9 (2006)"},{"key":"46_CR20","doi-asserted-by":"crossref","unstructured":"Bos, H., Portokalidis, G., Slowinska, A.: Argos: An Emulator for Fingerprinting Zero-Day Attacks. In: Proceedings EuroSys (2006)","DOI":"10.1145\/1217935.1217938"},{"key":"46_CR21","unstructured":"Cohen, F.: Computer viruses, Ph.D. thesis, University of Southern California (1986)"},{"key":"46_CR22","unstructured":"Carvey, H.: Reassembling an image file from a memory dump. Retrieved from: http:\/\/sourceforge.net\/projects\/windowsir (2006)"},{"key":"46_CR23","unstructured":"Carvey, H.: Ramdump, lsproc, lspm, ReadPE tools. Retrieved from: http:\/\/sourceforge.net\/projects\/windowsir (2006)"},{"key":"46_CR24","unstructured":"Christodorescu, M., Kinder, J., Jha, S., Katzenbeisser, S., Veith, H.: Malware Normalization, Technical Report, University of Wisconsin, Madison, USA (2005)"},{"key":"46_CR25","unstructured":"Clam AntiVirus: Available at: http:\/\/www.clamav.net\/ (2007)"},{"key":"46_CR26","unstructured":"Cloakware: Retrieved from: http:\/\/www.cloakware.com\/ (2007)"},{"key":"46_CR27","unstructured":"Cogswell, C., Russinovich, M.: RootkitRevealer. Available at: http:\/\/www.sysinternals.com\/ (2006)"},{"key":"46_CR28","unstructured":"DataRescue: Using the Universal PE Unpacker Plug-in included in IDA Pro 4.9 to unpack compressed executables. Retrieved from: http:\/\/www.datarescue.com\/idabase\/ , September 2006 (2005)"},{"key":"46_CR29","unstructured":"DataRescue: Using the IDA debugger to unpack an hostile PE executable. Retrieved from: http:\/\/www.datarescue.com\/idabase\/ (2006)"},{"key":"46_CR30","unstructured":"Elias: Detect if your program is running inside a Virtual Machine. 14 Mars 2005. Retrieved from: http:\/\/lgwm.org (Elias homepage), September 2006 (2005)"},{"key":"46_CR31","unstructured":"Filiol, F.: Strong cryptography armoured computer viruses forbidding code analysis: the Bradley virus. In: Proceedings of the 14th EICAR Conference, pp. 210\u2013214 (2005)"},{"key":"46_CR32","unstructured":"Filiol E.: Techniques virales avanc\u00e9es, IRIS Series, Springer Verlag France, January 2007. An English translation is pending (due mid 2007) (2007)"},{"key":"46_CR33","doi-asserted-by":"crossref","unstructured":"Filiol, F., Josse, S.: A statistical model for undecidable viral detection. In: Proceedings of the 16th EICAR Conference, Budapest, Hungary, 5\u20138 May 2007. To appear in: Broucek, V. (ed.) Eicar 2007 Special Issue, J. Comput. Virol. 3(2) (2007)","DOI":"10.1007\/s11416-007-0041-5"},{"key":"46_CR34","unstructured":"Ferrie, P.: Attacks on virtual machine emulators. In: Proceedings of the 2006 AVAR Conference, Auckland, NZ (2006)"},{"key":"46_CR35","unstructured":"Garner, G.M.: Forensic Acquisition Utilities: Dd, md5lib, md5sum, VolumeDump, Wipe, ZlibU, nc, GetOpt. Retrieved from: http:\/\/users.erols.com\/gmgarner\/forensics\/ , (2006)"},{"key":"46_CR36","unstructured":"Garner, G.M., Mora, R.: Kntlist tool. Retrieved from: http:\/\/www.dfrws.org\/2005\/challenge\/kntlist.html (2006)"},{"key":"46_CR37","unstructured":"Irvin, C.E., Robin, J.S.: Analysis of the Intel Pentium\u2019s ability to support a secure virtual machine monitor. In: Proceedings of Usenix00 Conference (2000)"},{"key":"46_CR38","doi-asserted-by":"crossref","unstructured":"Josse, S.: How to assess the security of your anti-virus? In: Proceedings of the 15th EICAR Conference, Hamburg, Germany, 29 April\u20133 May 2006. In: Broucek, V. et\u00a0al. (ed.) J. Comput. Virol. EICAR 2006 Special Issue, 1(2) (2006)","DOI":"10.1007\/s11416-006-0016-y"},{"key":"46_CR39","unstructured":"Josse, S.: Secure and advanced unpacking using computer emulation. In: Proceedings of the AVAR 2006 Conference, Auckland, New Zealand (2006)"},{"key":"46_CR40","unstructured":"MackT\u2019s ImportREC: Available at: http:\/\/mackt.cjb.net\/ (2006)"},{"key":"46_CR41","unstructured":"Microsoft PE-COFF: Microsoft Portable Executable and Common Object File Format Specification, revision 8.0, 2006. Retrieved from http:\/\/msdn.microsoft.com\/ (2006)"},{"key":"46_CR42","unstructured":"Nebbett, G.: Windows NT\/2000 Native API Reference. MTP Press (2000)"},{"key":"46_CR43","unstructured":"Newbigin, J.: Dd for Windows. Retrieved from: http:\/\/uranus.it.swin.edu.au\/~jn\/linux\/rawwrite\/dd.htm (2006)"},{"key":"46_CR44","unstructured":"Ollydbg: Available at: http:\/\/www.ollydbg.de\/ (2007)"},{"key":"46_CR45","unstructured":"Ollydbg Plugins: Available at: http:\/\/www.openrce.org\/download\/ browse\/OllydbgPlugins\/ (2007)"},{"key":"46_CR46","unstructured":"Pennell, A.: Post-Mortem Debugging Your Application with Minidumps and Visual Studio. NET (2002)"},{"key":"46_CR47","unstructured":"Pennell, A.: Minidumps tool (2002)"},{"key":"46_CR48","unstructured":"Portokalidis, G.: Zero Hour Worm Detection and Containment using Honeypots. Master Thesis, University of Crete (2004)"},{"key":"46_CR49","unstructured":"PE iDentifier. Available at: http:\/\/peid.tk (2007)"},{"key":"46_CR50","unstructured":"Plex86 x86 Virtual Machine Project: Available at: http:\/\/plex86.sourceforge.net\/ (2007)"},{"key":"46_CR51","unstructured":"QEMU Project: Available at: http:\/\/fabrice.bellard.free.fr\/qemu\/ (2006)"},{"key":"46_CR52","unstructured":"Rutkowska, J.: Detecting Windows Server Compromises with Patchfinder 2. Retrieved from: http:\/\/www.invisiblethings.org\/papers\/ , September 2006 (2004)"},{"key":"46_CR53","unstructured":"Rutkowska, J.: Red Pill... or how to detect VMM using (almost) one CPU instruction. Retrieved from: http:\/\/www.invisiblethings.org\/papers\/ , September 2006 (2004)"},{"key":"46_CR54","unstructured":"Russinovich, M.E., Solomon, D.A.: Inside Microsoft Windows 2000, 3rd edn. Microsoft Press, ISBN 0-7356-1021-5 (2000)"},{"key":"46_CR55","unstructured":"Russinovich, M.E., Solomon, D.A.: Microsoft Windows Internals, 4th edn: Microsoft Windows Server 2003, Windows XP, and Windows 2000 (2004)"},{"key":"46_CR56","unstructured":"Szor, P.: Memory scanning under Windows NT. In: Proceedings of Virus Bulletin Conference (1999)"},{"key":"46_CR57","unstructured":"Stepan, A.E.: Defeating polymorphism: beyond emulation. In: Proceedings of Virus Bulletin Conference (2005)"},{"key":"46_CR58","unstructured":"Schuster, A.: Reconstructing a Binary. Part 1, part 2. Retrieved from: http:\/\/computer.forensikblog.de\/en\/2006\/04\/reconstructing_a_binary.html (2006)"},{"key":"46_CR59","unstructured":"Schuster, A.: Tool MemDump.PL (PERL script). Retrieved from: http:\/\/computer.forensikblog.de\/ (2006)"},{"key":"46_CR60","doi-asserted-by":"crossref","unstructured":"Schuster, A.: Tool PTFinder.PL (Find Processes and Threads in a Microsoft Windows memory dump, PERL script). Retrieved from: http:\/\/computer.forensikblog.de\/en\/topics\/windows\/memory_analysis\/ (2006)","DOI":"10.1016\/j.diin.2006.06.010"},{"key":"46_CR61","unstructured":"Schuster, A.: Improving list-walkers. Retrieved from: http:\/\/computer.forensikblog.de\/ (2006)"},{"key":"46_CR62","unstructured":"Schuster, A.: Acquisition: dd. Retrieved from: http:\/\/computer.forensikblog.de\/ (2006)"},{"key":"46_CR63","unstructured":"Schuster, A.: Adapting PTfinder to other Versions of Microsoft Windows. Retrieved from: http:\/\/computer.forensikblog.de\/ (2006)"},{"key":"46_CR64","unstructured":"Schuster, A.: Converting Virtual into Physical Addresses. Retrieved from: http:\/\/computer.forensikblog.de\/ (2006)"},{"key":"46_CR65","unstructured":"Schuster, A.: Searching for Processes and Threads. Retrieved from: http:\/\/computer.forensikblog.de\/ (2006)"},{"key":"46_CR66","unstructured":"Schuster, A.: More on Processes and Threads. Retrieved from: http:\/\/computer.forensikblog.de\/ (2006)"},{"key":"46_CR67","unstructured":"Tr\u00f6ger, J.: Specification-Driven Dynamic Binary Translation. Ph.D. Thesis from Queensland University of Technology, Brisbane, Australia (2004)"},{"key":"46_CR68","unstructured":"VMware ACE: Available at: http:\/\/www.vmware.com\/products\/ ace\/ (2007)"},{"key":"46_CR69","unstructured":"VX Heavens Virus Collection: Retrieved from http:\/\/vx.netlux.org\/ (2006)"},{"key":"46_CR70","unstructured":"Weariless: Performing a hex dump of another process\u2019s memory. Retrieved from: http:\/\/www.codeproject.com\/ , September 2006 (2003)"},{"key":"46_CR71","unstructured":"Weariless: MDump tool. Retrieved from: http:\/\/www.codeproject.com\/ , September 2006 (2003)"},{"key":"46_CR72","unstructured":"y0da\u2019s LordPE: Available at: http:\/\/y0da.cjb.net (2007)"},{"key":"46_CR73","unstructured":"Z0mbie: Automated reverse engineering: Mistfall engine. Retrieved from: http:\/\/vx.netlux.org\/ , September 2006 (2000)"},{"key":"46_CR74","unstructured":"Z0mbie: VMWare has you. Retrieved from: http:\/\/vx.netlux.org\/ , September 2006 (2001)"}],"container-title":["Journal in Computer Virology"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/s11416-007-0046-0.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"http:\/\/link.springer.com\/article\/10.1007\/s11416-007-0046-0\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/s11416-007-0046-0","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2019,6,1]],"date-time":"2019-06-01T14:45:41Z","timestamp":1559400341000},"score":1,"resource":{"primary":{"URL":"http:\/\/link.springer.com\/10.1007\/s11416-007-0046-0"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2007,5,4]]},"references-count":74,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2007,7,19]]}},"alternative-id":["46"],"URL":"https:\/\/doi.org\/10.1007\/s11416-007-0046-0","relation":{},"ISSN":["1772-9890","1772-9904"],"issn-type":[{"value":"1772-9890","type":"print"},{"value":"1772-9904","type":"electronic"}],"subject":[],"published":{"date-parts":[[2007,5,4]]}}}