{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,7,12]],"date-time":"2025-07-12T22:53:29Z","timestamp":1752360809636,"version":"3.41.0"},"publisher-location":"New York, NY, USA","reference-count":43,"publisher":"ACM","license":[{"start":{"date-parts":[[2021,10,6]],"date-time":"2021-10-06T00:00:00Z","timestamp":1633478400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"name":"Cisco Grant","award":["1377523"],"award-info":[{"award-number":["1377523"]}]},{"DOI":"10.13039\/501100000781","name":"European Research Council","doi-asserted-by":"publisher","award":["771844"],"award-info":[{"award-number":["771844"]}],"id":[{"id":"10.13039\/501100000781","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2021,10,6]]},"DOI":"10.1145\/3471621.3471848","type":"proceedings-article","created":{"date-parts":[[2021,10,7]],"date-time":"2021-10-07T14:50:46Z","timestamp":1633618246000},"page":"177-192","source":"Crossref","is-referenced-by-count":4,"title":["Lost in the Loader:The Many Faces of the Windows PE File Format"],"prefix":"10.1145","author":[{"given":"Dario","family":"Nisi","sequence":"first","affiliation":[{"name":"EURECOM, France"}]},{"given":"Mariano","family":"Graziano","sequence":"additional","affiliation":[{"name":"Cisco Talos, US"}]},{"given":"Yanick","family":"Fratantonio","sequence":"additional","affiliation":[{"name":"Cisco Talos, US"}]},{"given":"Davide","family":"Balzarotti","sequence":"additional","affiliation":[{"name":"EURECOM, France"}]}],"member":"320","published-online":{"date-parts":[[2021,10,7]]},"reference":[{"key":"e_1_3_2_1_1_1","unstructured":"A. Albertini. [n.d.]. Corkami PE files corpus. https:\/\/github.com\/corkami\/pocs\/tree\/master\/PE.  A. Albertini. [n.d.]. Corkami PE files corpus. https:\/\/github.com\/corkami\/pocs\/tree\/master\/PE."},{"key":"e_1_3_2_1_2_1","unstructured":"A. Albertini. 2013. Making a Multi-Windows PE. POC or GTFO0x01(2013).  A. Albertini. 2013. Making a Multi-Windows PE. POC or GTFO0x01(2013)."},{"key":"e_1_3_2_1_3_1","unstructured":"Alexander Sotirov. [n.d.]. TinyPE. http:\/\/www.phreedom.org\/research\/tinype\/.  Alexander Sotirov. [n.d.]. TinyPE. http:\/\/www.phreedom.org\/research\/tinype\/."},{"key":"e_1_3_2_1_4_1","volume-title":"Threat Spotlight: Rombertik \u2013 Gazing Past the Smoke, Mirrors, and Trapdoors. https:\/\/blogs.cisco.com\/security\/talos\/rombertik.","author":"Baker B.","year":"2015","unstructured":"B. Baker , A. Chiu . 2015 . Threat Spotlight: Rombertik \u2013 Gazing Past the Smoke, Mirrors, and Trapdoors. https:\/\/blogs.cisco.com\/security\/talos\/rombertik. B. Baker, A. Chiu. 2015. Threat Spotlight: Rombertik \u2013 Gazing Past the Smoke, Mirrors, and Trapdoors. https:\/\/blogs.cisco.com\/security\/talos\/rombertik."},{"key":"e_1_3_2_1_5_1","volume-title":"Proceedings of the 8th international workshop on satisfiability modulo theories","author":"Barrett Clark","year":"2010","unstructured":"Clark Barrett , Aaron Stump , Cesare Tinelli , 2010 . The smt-lib standard: Version 2.0 . In Proceedings of the 8th international workshop on satisfiability modulo theories ( Edinburgh, England), Vol.\u00a013. 14. Clark Barrett, Aaron Stump, Cesare Tinelli, 2010. The smt-lib standard: Version 2.0. In Proceedings of the 8th international workshop on satisfiability modulo theories (Edinburgh, England), Vol.\u00a013. 14."},{"key":"e_1_3_2_1_6_1","unstructured":"S Bratus and J Bangert. 2013. ELFs are dorky elves are cool. POC or GTFO0x00(2013).  S Bratus and J Bangert. 2013. ELFs are dorky elves are cool. POC or GTFO0x00(2013)."},{"key":"e_1_3_2_1_7_1","volume-title":"USENIX Security Symposium. 15","author":"Brumley David","year":"2007","unstructured":"David Brumley , Juan Caballero , Zhenkai Liang , James Newsome , and Dawn Song . 2007 . Towards Automatic Discovery of Deviations in Binary Implementations with Applications to Error Detection and Fingerprint Generation .. In USENIX Security Symposium. 15 . David Brumley, Juan Caballero, Zhenkai Liang, James Newsome, and Dawn Song. 2007. Towards Automatic Discovery of Deviations in Binary Implementations with Applications to Error Detection and Fingerprint Generation.. In USENIX Security Symposium. 15."},{"key":"e_1_3_2_1_8_1","unstructured":"Chocolatey. [n.d.]. Chocolatey - The Package Manager for Windows. https:\/\/chocolatey.org\/  Chocolatey. [n.d.]. Chocolatey - The Package Manager for Windows. https:\/\/chocolatey.org\/"},{"key":"e_1_3_2_1_9_1","unstructured":"Cisco. [n.d.]. ClamAV. https:\/\/www.clamav.net\/  Cisco. [n.d.]. ClamAV. https:\/\/www.clamav.net\/"},{"key":"e_1_3_2_1_10_1","unstructured":"Cisco. [n.d.]. ClamAV - Bytecode Signatures. https:\/\/www.clamav.net\/documents\/bytecode-signatures  Cisco. [n.d.]. ClamAV - Bytecode Signatures. https:\/\/www.clamav.net\/documents\/bytecode-signatures"},{"key":"e_1_3_2_1_11_1","unstructured":"Cisco. [n.d.]. ClamAV - File hash signatures. https:\/\/www.clamav.net\/documents\/file-hash-signatures  Cisco. [n.d.]. ClamAV - File hash signatures. https:\/\/www.clamav.net\/documents\/file-hash-signatures"},{"key":"e_1_3_2_1_12_1","volume-title":"Understanding Linux Malware. In IEEE Symposium on Security & Privacy","author":"Cozzi Emanuele","year":"2018","unstructured":"Emanuele Cozzi , Mariano Graziano , Yanick Fratantonio , and Davide Balzarotti . 2018 . Understanding Linux Malware. In IEEE Symposium on Security & Privacy ( San Francisco, CA). IEEE Computer Society. Emanuele Cozzi, Mariano Graziano, Yanick Fratantonio, and Davide Balzarotti. 2018. Understanding Linux Malware. In IEEE Symposium on Security & Privacy (San Francisco, CA). IEEE Computer Society."},{"key":"e_1_3_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-78800-3_24"},{"key":"e_1_3_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1145\/360933.360975"},{"key":"e_1_3_2_1_15_1","unstructured":"erocarrera. [n.d.]. pefile. https:\/\/github.com\/erocarrera\/pefile  erocarrera. [n.d.]. pefile. https:\/\/github.com\/erocarrera\/pefile"},{"key":"e_1_3_2_1_16_1","unstructured":"Xinyang Ge Mathias Payer and Trent Jaeger. 2017. An Evil Copy: How the Loader Betrays You.. In NDSS.  Xinyang Ge Mathias Payer and Trent Jaeger. 2017. An Evil Copy: How the Loader Betrays You.. In NDSS."},{"key":"e_1_3_2_1_18_1","unstructured":"J. Bangert R. Shapiro S. Bratus. 2013. Weird Machines and revisiting Trusting Trust for binary toolchains. http:\/\/www.cs.dartmouth.edu\/~sergey\/trust\/30c3-chain-of-trust.pdf.  J. Bangert R. Shapiro S. Bratus. 2013. Weird Machines and revisiting Trusting Trust for binary toolchains. http:\/\/www.cs.dartmouth.edu\/~sergey\/trust\/30c3-chain-of-trust.pdf."},{"key":"e_1_3_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-14577-3_22"},{"key":"e_1_3_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3133958"},{"key":"e_1_3_2_1_21_1","volume-title":"23rd USENIX Security Symposium (USENIX Security 14)","author":"Kirat Dhilung","year":"2014","unstructured":"Dhilung Kirat , Giovanni Vigna , and Christopher Kruegel . 2014 . Barecloud: bare-metal analysis-based evasive malware detection . In 23rd USENIX Security Symposium (USENIX Security 14) . 287\u2013301. Dhilung Kirat, Giovanni Vigna, and Christopher Kruegel. 2014. Barecloud: bare-metal analysis-based evasive malware detection. In 23rd USENIX Security Symposium (USENIX Security 14). 287\u2013301."},{"key":"e_1_3_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1145\/2046707.2046740"},{"key":"e_1_3_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-23644-0_18"},{"key":"e_1_3_2_1_24_1","unstructured":"Microsoft. 2018. Control Flow Guard. https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/secbp\/control-flow-guard.  Microsoft. 2018. Control Flow Guard. https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/secbp\/control-flow-guard."},{"key":"e_1_3_2_1_25_1","unstructured":"Microsoft. 2018. LoadLibraryExA \u2013 Windows API. https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/api\/libloaderapi\/nf-libloaderapi-loadlibraryexa.  Microsoft. 2018. LoadLibraryExA \u2013 Windows API. https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/api\/libloaderapi\/nf-libloaderapi-loadlibraryexa."},{"key":"e_1_3_2_1_26_1","unstructured":"pe format [n.d.]. PE Format. https:\/\/docs.microsoft.com\/en-gb\/windows\/win32\/debug\/pe-format  pe format [n.d.]. PE Format. https:\/\/docs.microsoft.com\/en-gb\/windows\/win32\/debug\/pe-format"},{"key":"e_1_3_2_1_27_1","unstructured":"pev [n.d.]. pev - User manual. http:\/\/pev.sourceforge.net\/doc\/manual\/en_us\/  pev [n.d.]. pev - User manual. http:\/\/pev.sourceforge.net\/doc\/manual\/en_us\/"},{"key":"e_1_3_2_1_28_1","unstructured":"radare2 [n.d.]. radare2 a portable reversing framework. http:\/\/www.radare.org\/.  radare2 [n.d.]. radare2 a portable reversing framework. http:\/\/www.radare.org\/."},{"key":"e_1_3_2_1_29_1","unstructured":"roy g biv \/ defjam. [n.d.]. Virtual Code Windows 7 update. https:\/\/github.com\/darkspik3\/Valhalla-ezines\/blob\/master\/Valhalla%20%233\/articles\/VCODE2.TXT.  roy g biv \/ defjam. [n.d.]. Virtual Code Windows 7 update. https:\/\/github.com\/darkspik3\/Valhalla-ezines\/blob\/master\/Valhalla%20%233\/articles\/VCODE2.TXT."},{"key":"e_1_3_2_1_30_1","unstructured":"saurik. 2013. Exploit (& Fix) Android Master Key. http:\/\/www.saurik.com\/id\/17.  saurik. 2013. Exploit (& Fix) Android Master Key. http:\/\/www.saurik.com\/id\/17."},{"key":"e_1_3_2_1_31_1","volume-title":"ELF: A Spotlight on the Underappreciated Metadata. In 7th USENIX Workshop on Offensive Technologies (WOOT 13)","author":"Shapiro Rebecca","year":"2013","unstructured":"Rebecca Shapiro , Sergey Bratus , and Sean\u00a0 W. Smith . 2013 . \u201c Weird Machines \u201d in ELF: A Spotlight on the Underappreciated Metadata. In 7th USENIX Workshop on Offensive Technologies (WOOT 13) . USENIX Association, Washington, D.C.https:\/\/www.usenix.org\/conference\/woot13\/workshop-program\/presentation\/shapiro Rebecca Shapiro, Sergey Bratus, and Sean\u00a0W. Smith. 2013. \u201cWeird Machines\u201d in ELF: A Spotlight on the Underappreciated Metadata. In 7th USENIX Workshop on Offensive Technologies (WOOT 13). USENIX Association, Washington, D.C.https:\/\/www.usenix.org\/conference\/woot13\/workshop-program\/presentation\/shapiro"},{"key":"e_1_3_2_1_32_1","unstructured":"Siguza. 2020. Psychic Paper. https:\/\/siguza.github.io\/psychicpaper\/.  Siguza. 2020. Psychic Paper. https:\/\/siguza.github.io\/psychicpaper\/."},{"volume-title":"Locreate: An Anagram for Relocate","year":"2006","key":"e_1_3_2_1_33_1","unstructured":"skape. 2006 . Locreate: An Anagram for Relocate . http:\/\/www.uninformed.org\/?v=6&a=3&t=txt. skape. 2006. Locreate: An Anagram for Relocate. http:\/\/www.uninformed.org\/?v=6&a=3&t=txt."},{"key":"e_1_3_2_1_34_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2017.27"},{"key":"e_1_3_2_1_35_1","unstructured":"Todd Cullum. 2017. Portable Executable File Corruption Preventing Malware From Running. https:\/\/toddcullumresearch.com\/2017\/07\/16\/portable-executable-file-corruption\/.  Todd Cullum. 2017. Portable Executable File Corruption Preventing Malware From Running. https:\/\/toddcullumresearch.com\/2017\/07\/16\/portable-executable-file-corruption\/."},{"key":"e_1_3_2_1_36_1","article-title":"A Close Look at a Daily Dataset of Malware Samples","volume":"22","author":"Ugarte-Pedrero Xabier","year":"2019","unstructured":"Xabier Ugarte-Pedrero , Mariano Graziano , and Davide Balzarotti . 2019 . A Close Look at a Daily Dataset of Malware Samples . ACM Transactions on Privacy and Security (TOPS) 22 , 1, Article 6 (January 2019), 30\u00a0pages. https:\/\/doi.org\/10.1145\/3291061 Xabier Ugarte-Pedrero, Mariano Graziano, and Davide Balzarotti. 2019. A Close Look at a Daily Dataset of Malware Samples. ACM Transactions on Privacy and Security (TOPS) 22, 1, Article 6 (January 2019), 30\u00a0pages. https:\/\/doi.org\/10.1145\/3291061","journal-title":"ACM Transactions on Privacy and Security (TOPS)"},{"key":"e_1_3_2_1_37_1","unstructured":"ulexec. 2019. ELF Crafting Advance Anti-Analysis techniques for the Linux Platform. https:\/\/github.com\/radareorg\/r2con2019\/blob\/master\/talks\/elf_crafting\/ELF_Crafting_ulexec.pdf.  ulexec. 2019. ELF Crafting Advance Anti-Analysis techniques for the Linux Platform. https:\/\/github.com\/radareorg\/r2con2019\/blob\/master\/talks\/elf_crafting\/ELF_Crafting_ulexec.pdf."},{"key":"e_1_3_2_1_38_1","unstructured":"virustotal [n.d.]. VirusTotal. https:\/\/www.virustotal.com\/.  virustotal [n.d.]. VirusTotal. https:\/\/www.virustotal.com\/."},{"key":"e_1_3_2_1_39_1","unstructured":"VirusTotal. 2021. File statistics during last 7 days. https:\/\/www.virustotal.com\/en\/statistics\/.  VirusTotal. 2021. File statistics during last 7 days. https:\/\/www.virustotal.com\/en\/statistics\/."},{"key":"e_1_3_2_1_40_1","unstructured":"Mario Vuksan and Tomislav Pericin. 2011. Constant insecurity: Things you didn\u2019t know about portable executable file format. In BlackHat.  Mario Vuksan and Tomislav Pericin. 2011. Constant insecurity: Things you didn\u2019t know about portable executable file format. In BlackHat."},{"key":"e_1_3_2_1_41_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-11379-1_2"},{"key":"e_1_3_2_1_42_1","unstructured":"yara [n.d.]. VirtusTotal - yara in a nutshell. https:\/\/github.com\/VirusTotal\/yara  yara [n.d.]. VirtusTotal - yara in a nutshell. https:\/\/github.com\/VirusTotal\/yara"},{"key":"e_1_3_2_1_43_1","unstructured":"yara pe [n.d.]. PE module \u2014 yara 4.0.2 documentation. https:\/\/yara.readthedocs.io\/en\/stable\/modules\/pe.html  yara pe [n.d.]. PE module \u2014 yara 4.0.2 documentation. https:\/\/yara.readthedocs.io\/en\/stable\/modules\/pe.html"},{"key":"e_1_3_2_1_44_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-45719-2_8"}],"event":{"name":"RAID '21: 24th International Symposium on Research in Attacks, Intrusions and Defenses","acronym":"RAID '21","location":"San Sebastian Spain"},"container-title":["24th International Symposium on Research in Attacks, Intrusions and Defenses"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3471621.3471848","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3471621.3471848","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T21:24:49Z","timestamp":1750195489000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3471621.3471848"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,10,6]]},"references-count":43,"alternative-id":["10.1145\/3471621.3471848","10.1145\/3471621"],"URL":"https:\/\/doi.org\/10.1145\/3471621.3471848","relation":{},"subject":[],"published":{"date-parts":[[2021,10,6]]}}}