Since malwares contain stalling codes, malicious behaviors can’t be detected in emulated analysis environment. This paper proposes an approach to detect malicious behaviors by evade stalling codes. First, we executed a malware in the emulated analysis environment, and saved every executed instruction in a trace file; Second, we began to detect stalling codes with the trace file, and constructed stalling code evasive points; At last, we executed the malware again and evade stalling codes with the evasive points, and then the malicious behaviors detected. It has been proven by experiments that the approach can evade stalling codes to detect the later malware behaviors effectively, and improve the performance of detecting the malicious behaviors in the emulated analysis environment.

DOI: http://dx.doi.org/10.11591/telkomnika.v10i7.1573