{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,25]],"date-time":"2026-02-25T19:01:13Z","timestamp":1772046073087,"version":"3.50.1"},"publisher-location":"New York, NY, USA","reference-count":46,"publisher":"ACM","license":[{"start":{"date-parts":[[2017,10,30]],"date-time":"2017-10-30T00:00:00Z","timestamp":1509321600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"name":"Darpa","award":["FA8750-16-C-0044"],"award-info":[{"award-number":["FA8750-16-C-0044"]}]},{"DOI":"10.13039\/100000001","name":"National Science Foundation","doi-asserted-by":"publisher","award":["1664315"],"award-info":[{"award-number":["1664315"]}],"id":[{"id":"10.13039\/100000001","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2017,10,30]]},"DOI":"10.1145\/3133956.3134099","type":"proceedings-article","created":{"date-parts":[[2017,10,27]],"date-time":"2017-10-27T12:48:18Z","timestamp":1509108498000},"page":"1691-1708","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":35,"title":["Capturing Malware Propagations with Code Injections and Code-Reuse Attacks"],"prefix":"10.1145","author":[{"given":"David","family":"Korczynski","sequence":"first","affiliation":[{"name":"University of Oxford, Oxford, United Kingdom"}]},{"given":"Heng","family":"Yin","sequence":"additional","affiliation":[{"name":"University of California, Riverside, Riverside, USA"}]}],"member":"320","published-online":{"date-parts":[[2017,10,30]]},"reference":[{"key":"e_1_3_2_2_1_1","unstructured":"Andrea Allievi and Holger Unterbrink. 2015. CryptoWall 4 The Evolution Continues. (2015)."},{"key":"e_1_3_2_2_2_1","unstructured":"Magal Baz and Or Safran. 2017. Dridex's Cold War: Enter AtomBombing. (2017)."},{"key":"e_1_3_2_2_3_1","doi-asserted-by":"publisher","DOI":"10.5555\/1247360.1247401"},{"key":"e_1_3_2_2_4_1","doi-asserted-by":"publisher","DOI":"10.1145\/1966913.1966919"},{"key":"e_1_3_2_2_5_1","doi-asserted-by":"publisher","DOI":"10.1145\/2810103.2813627"},{"key":"e_1_3_2_2_6_1","doi-asserted-by":"publisher","DOI":"10.1145\/1455770.1455776"},{"key":"e_1_3_2_2_7_1","doi-asserted-by":"publisher","DOI":"10.1007\/978--3--540--70542-0"},{"key":"e_1_3_2_2_8_1","doi-asserted-by":"publisher","DOI":"10.5555\/1855491.1855497"},{"key":"e_1_3_2_2_9_1","doi-asserted-by":"publisher","DOI":"10.1145\/2110356.2110358"},{"key":"e_1_3_2_2_10_1","volume-title":"Proceedings of the 23rd USENIX Conference on Security Symposium (SEC'14)","author":"Davi Lucas","year":"2014","unstructured":"Lucas Davi, Ahmad-Reza Sadeghi, Daniel Lehmann, and Fabian Monrose. 2014. Stitching the Gadgets: On the Ineffectiveness of Coarse-grained Control-flow Integrity Protection. In Proceedings of the 23rd USENIX Conference on Security Symposium (SEC'14). USENIX Association, Berkeley, CA, USA, 401--416. http:\/\/dl.acm.org\/citation.cfm?id=2671225.2671251"},{"key":"e_1_3_2_2_11_1","volume-title":"https:\/\/www.cuckoosandbox.org\/","author":"Cuckoo Sandbox Cuckoo","year":"2017","unstructured":"Cuckoo developers. 2017. Cuckoo Sandbox. (2017). https:\/\/www.cuckoosandbox.org\/"},{"key":"e_1_3_2_2_12_1","doi-asserted-by":"publisher","DOI":"10.1145\/1455770.1455779"},{"key":"e_1_3_2_2_13_1","volume-title":"Dynamic Spyware Analysis. In 2007 USENIX Annual Technical Conference on Proceedings of the USENIX Annual Technical Conference (ATC'07)","author":"Egele Manuel","year":"2007","unstructured":"Manuel Egele, Christopher Kruegel, Engin Kirda, Heng Yin, and Dawn Song. 2007. Dynamic Spyware Analysis. In 2007 USENIX Annual Technical Conference on Proceedings of the USENIX Annual Technical Conference (ATC'07). USENIX Association, Berkeley, CA, USA, Article 18, 14 pages. http:\/\/dl.acm.org\/citation.cfm?id=1364385.1364403"},{"key":"e_1_3_2_2_14_1","volume-title":"Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation (OSDI'10)","author":"Enck William","year":"1924","unstructured":"William Enck, Peter Gilbert, Byung-Gon Chun, Landon P. Cox, Jaeyeon Jung, Patrick McDaniel, and Anmol N. Sheth. 2010. TaintDroid: An Information-flow Tracking System for Realtime Privacy Monitoring on Smartphones. In Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation (OSDI'10). USENIX Association, Berkeley, CA, USA, 393--407. http:\/\/dl.acm.org\/citation.cfm?id=1924943.1924971"},{"key":"e_1_3_2_2_15_1","unstructured":"Volatility Foundation. Volatility - Open Source Memory Forensics. http:\/\/www.volatilityfoundation.org\/"},{"key":"e_1_3_2_2_16_1","volume-title":"23rd USENIX Security Symposium (USENIX Security 14)","author":"G\u00f6kta\u015f Enes","year":"2014","unstructured":"Enes G\u00f6kta\u015f, Elias Athanasopoulos, Michalis Polychronakis, Herbert Bos, and Georgios Portokalidis. 2014. Size Does Matter: Why Using Gadget-Chain Length to Prevent Code-Reuse Attacks is Hard. In 23rd USENIX Security Symposium (USENIX Security 14). USENIX Association, San Diego, CA, 417-- 432. https:\/\/www.usenix.org\/conference\/usenixsecurity14\/technical-sessions\/presentation\/goktas"},{"key":"e_1_3_2_2_17_1","doi-asserted-by":"publisher","DOI":"10.1145\/2897845.2897894"},{"key":"e_1_3_2_2_18_1","unstructured":"Pin Yahoo Groups. 2015. Failure to instrument process tree. (2015). https:\/\/groups.yahoo.com\/neo\/groups\/pinheads\/conversations\/topics\/12019"},{"key":"e_1_3_2_2_19_1","volume-title":"OASIcs OpenAccess Series in Informatics","volume":"15","author":"Gustafsson Jan","year":"2010","unstructured":"Jan Gustafsson, Adam Betts, Andreas Ermedahl, and Bj\u00f6rn Lisper. 2010. The M\u00e4lardalen WCET benchmarks: Past, present and future. In OASIcs OpenAccess Series in Informatics, Vol. 15. Schloss Dagstuhl-Leibniz-Zentrum fuer Informatik."},{"key":"e_1_3_2_2_20_1","doi-asserted-by":"publisher","DOI":"10.1145\/2610384.2610407"},{"key":"e_1_3_2_2_21_1","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2016.2589242"},{"key":"e_1_3_2_2_22_1","doi-asserted-by":"publisher","DOI":"10.1145\/1314389.1314399"},{"key":"e_1_3_2_2_23_1","doi-asserted-by":"publisher","DOI":"10.1007\/978--3--319--26362--5"},{"key":"e_1_3_2_2_24_1","doi-asserted-by":"publisher","DOI":"10.1109\/MALWARE.2016.7888727"},{"key":"e_1_3_2_2_25_1","unstructured":"Peter Kruse. 2012. W32.Tinba (TinyBanker) The Turkish Incident. (2012)."},{"key":"e_1_3_2_2_26_1","unstructured":"Persistence Labs. 2013. Semtrax. (2013). http:\/\/www.persistencelabs.com\/blog"},{"key":"e_1_3_2_2_27_1","unstructured":"Tal Liberman. 2016. AtomBombing: Brand New Code Injection for Windows. (2016)."},{"key":"e_1_3_2_2_28_1","unstructured":"Tal Liberman. 2017. BSidesSF 2017 AtomBombing: Injecting Code Using Windows' Atoms. (2017). https:\/\/www.youtube.com\/watch?v=9HV69QGiBAU"},{"key":"e_1_3_2_2_29_1","volume-title":"Code injection via return-oriented programming. Virus Bulletin","author":"Low Wayne","year":"2012","unstructured":"Wayne Low. 2012. Code injection via return-oriented programming. Virus Bulletin (2012)."},{"key":"e_1_3_2_2_30_1","doi-asserted-by":"publisher","DOI":"10.1109\/ACSAC.2007.15"},{"key":"e_1_3_2_2_31_1","unstructured":"Monnappa22. HollowFind. https:\/\/github.com\/monnappa22\/HollowFind"},{"key":"e_1_3_2_2_32_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2007.17"},{"key":"e_1_3_2_2_33_1","unstructured":"PaloAlto Networks. 2013. The Modern Malware Review. (2013)."},{"key":"e_1_3_2_2_34_1","doi-asserted-by":"publisher","DOI":"10.1109\/MALWARE.2011.6112327"},{"key":"e_1_3_2_2_35_1","unstructured":"Symantec Security Response. 2015. W32.Ramnit analysis. (2015)."},{"key":"e_1_3_2_2_36_1","volume-title":"Mind the Gapz: The Most Complex Bootkiv Ever Analyzed?","author":"Rodionov Eugene","year":"2016","unstructured":"Eugene Rodionov and Aleksandr Matrosov. 2016. Mind the Gapz: The Most Complex Bootkiv Ever Analyzed? (2016)."},{"key":"e_1_3_2_2_37_1","doi-asserted-by":"publisher","DOI":"10.1109\/ACSAC.2006.38"},{"key":"e_1_3_2_2_38_1","doi-asserted-by":"publisher","DOI":"10.1145\/1315245.1315313"},{"key":"e_1_3_2_2_39_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-89862-7_1"},{"key":"e_1_3_2_2_40_1","unstructured":"Xabier Ugarte-pedrero Davide Balzarotti Igor Santos and Pablo G. Bringas. SoK: Deep Packer Inspection: A Longitudinal Study of the Complexity of Run-Time Packers."},{"key":"e_1_3_2_2_41_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2014.23019"},{"key":"e_1_3_2_2_42_1","volume-title":"Integrity verification of user space code. Digital Investigation","author":"White Andrew","year":"2013","unstructured":"Andrew White, Bradley Schatz, and Ernest Foo. 2013. Integrity verification of user space code. Digital Investigation (2013)."},{"key":"e_1_3_2_2_43_1","unstructured":"Lok Yan and Heng Yin. 2017. SoK: On the Soundness and Precision of Dynamic Taint Analysis. (2017). http:\/\/www.cs.ucr.edu\/~heng\/teaching\/cs260-winter2017\/formaltaint.pdf"},{"key":"e_1_3_2_2_44_1","volume-title":"Proceedings of the 21st USENIX Conference on Security Symposium (Security'12)","author":"Yan Lok Kwong","year":"2012","unstructured":"Lok Kwong Yan and Heng Yin. 2012. DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis. In Proceedings of the 21st USENIX Conference on Security Symposium (Security'12). USENIX Association, Berkeley, CA, USA, 29--29. http:\/\/dl.acm.org\/citation.cfm?id=2362793.2362822"},{"key":"e_1_3_2_2_45_1","unstructured":"Udi Yavo and Tomer Bitton. 2015. Injection on Steroids: Code-less Code Injections and 0-Day Techniques. (2015)."},{"key":"e_1_3_2_2_46_1","doi-asserted-by":"publisher","DOI":"10.1145\/1315245.1315261"}],"event":{"name":"CCS '17: 2017 ACM SIGSAC Conference on Computer and Communications Security","location":"Dallas Texas USA","acronym":"CCS '17","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"]},"container-title":["Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3133956.3134099","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3133956.3134099","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3133956.3134099","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T02:11:03Z","timestamp":1750212663000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3133956.3134099"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2017,10,30]]},"references-count":46,"alternative-id":["10.1145\/3133956.3134099","10.1145\/3133956"],"URL":"https:\/\/doi.org\/10.1145\/3133956.3134099","relation":{},"subject":[],"published":{"date-parts":[[2017,10,30]]},"assertion":[{"value":"2017-10-30","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}