Abstract. Runtime code protection techniques are widely used in order to delay reverse code engineering and modify binary signatures. This is a significant problem since virtually every malware sample in the wild is packed and even simple runtime code protection schemes can thwart static analysis. This paper describes a generic technique based on fine-grained trace analysis to automatically detect and classify runtime code protection techniques. This results in easier automatic analysis of the target program and in some cases, such as code packing or encryption, the protection can be fully removed. In other cases, such as code checking and code scrambling, annotations can be provided to static analysis tools to automatically spot the code responsible for the protection. This technique is architecture-independent and operating-system-independent as it uses only general properties about instruction-level memory use.