EM Side Channels for Obfuscation-Aware Malware Detection on Intel: Packers and Virtualization

Executable packing and code virtualization are widely used to impede malware analysis, weakening both staticinspection and in-host dynamic monitoring. This paper evaluates whether near-field electromagnetic (EM) leakage canexpose these obfuscation layers on commodity Intel desktop hardware without any software instrumentation.We study two binary tasks, packed vs. unpacked and virtualized vs. non-virtualized, using paired variants derived fromthree Linux malware families, with executions interleaved with realistic benign background activity. Two acquisition andrepresentation strategies are compared: a high-fidelity PicoScope-based chain processed through STFT spectrograms withNICV-guided frequency selection, and EM-SENSE, a low-cost Arduino-based prototype that operates at low samplingrates and uses direct time-domain encoding.Across consistent experimental splits and a shared model suite, EM emissions retain discriminative structure for bothpacking and virtualization. High-fidelity measurements reach up to 99% accuracy for packing and 94% for virtualization,while the low-cost prototype remains above 90% on both tasks. Classical LDA-based pipelines consistently outperformdeep architectures, indicating that carefully engineered representations are more effective than end-to-end learning underthe studied acquisition conditions.These results support EM side-channel sensing, including low-cost hardware, as a practical, complementary signal fordetecting modern malware obfuscation.