Principles and practise of x-raying

Frédéric Perriot Symantec
Peter Ferrie Symantec

X-raying designates a virus detection method relying on a known-plaintext attack on the virus body. Far from being a new technique, x-raying has been used since the DOS days of yore to detect encrypted or polymorphic viruses without having to emulate their decryption code. As Entry-Point Obscuring viruses surfaced, another advantage of x-raying became obvious, namely the ability to detect an infection without the - sometimes prohibitive - cost of locating the decryption code in the infected object.

In this paper we examine conventional approaches to x-raying and present our own improvements and additions to the traditional methods. We also describe precise applications of x-raying to the detection of several recent polymorphic Win32 viruses. Finally, we discuss the potential and limits of x-raying when faced with complex polymorphic viruses employing multiple encryption layers or metamorphism.


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.