Obfuscation Methods
From ema
An Obfuscation Method represents a non-behavioral feature associated with how the code in a malware instance is structured or package. Examples include code encryption (packing) and code compression.
| Name | Description | Associated Attributes | Aliases |
|---|---|---|---|
| code compression | The 'code compression' Obfuscation Method indicates that the code of the malware instance is compressed using one or more compression algorithms. | packing | |
| code encryption | The 'code encryption' Obfuscation Method indicates that the code of the malware instance is encrypted using one or more encryption algorithms. | Common: encryption algorithm | |
| dead code insertion | The 'dead code insertion' Obfuscation Method indicates that the malware instance contains dead intended to impede disassembly. | ||
| entry point obfuscation | The 'entry point obfuscation' Obfuscation Method indicates that the entry point of the malware instance is obfuscated. | ||
| import address table obfuscation | The 'import address table obfuscation' Obfuscation Method indicates that the import address table of the malware instance is obfuscated. | ||
| interleaving code | The 'interleaving code' structural feature refers to a form of obfuscation that splits code into sections that are rearranged and connected by unconditional jumps. | ||
| symbolic obfuscation | The 'symbolic obfuscation' Obfuscation Method refers to the removing or renaming of textual information in the code of the malware instance. |
