VirtICE:nextgenerationdebugger formalwareanalysis

BlackHatUSA2010,LasVegas July29th

NGUYENAnhQuynh,KuniyasuSUZAKI AIST,Japan

Whoarewe?

FromtheNationalInstituteofAdvancedIndustrial ScienceandTechnology(AIST),Japan NGUYENAnhQuynh,Postdoctorresearcher

VNSecuritymember(http://vnsecurity.net)

KuniyasuSUZAKI,seniorresearcher(PhD) Multipleinterests:OperatingSystem, Virtualization,Trustedcomputing,malware analysis,forensic,rootkits,IDS,...

VMrelatedresearchareas

PracticalsecurityproblemsregardingVirtual Machine(VM)

ProtectVM

LivememoryforensicforVM MalwarescannerforVM Dynamicbinaryanalysis Vulnerabilityresearch etc...

LeverageVMforvarioussecurityrelatedareas

VirtICEpreview

Anewdebugger,speciallybuilttoanalyzemalware Havenewapproachtofixmostproblemsofcurrent debuggers Providerichfunctionalitiestargetingmalware analyst

Toeasethejobofmalwareanalyst

Presentationoverview

Problemsofdebuggerinmalawareanalysis VirtICEsolution

Architecture,Design&Implementation Mainfeatures

Livedemo Discussions Conclusions Q&A

Part I

Problemsofdebuggerinmalawareanalysis VirtICEsolution

Architecture,Design&Implementation Mainfeatures

Livedemo Discussions Conclusions Q&A

6

Malwareanalysis

Staticanalysis

Disassemble/decompilemalwarebinarycode Analyzedeadlisttounderstanditsactivities

Mostmalwarearepackedandobfuscated

Dynamicanalysis

Runmalwareandmonitoritsactivitiesatruntime Analyzemalwarewhenitisrunning,lively

Debuggeragainstmalware

Runmalwareunderthemonitorofadebugger

Disassemble/Decompilemalwarebinary Monitorexecutionflow

Usingsoftware/hardwarebreakpoints Usingmemorywatchpoints

Monitordataflow

Singlestepforfinegranularitytracing etc...

Problemsofdebugger

Malwarecandetectdebuggerandchangebehavior

Knowingthatitisbeingdebugged/monitored, malwarecanbehavedifferently

Xuetal[NDSS08]reportedthepopularityof antidebuggingmalware

93.9%malwarehaveantidebugger techniques!

Malwarecantamperwithdebugger

Fooldebugger,tomakeitfunctionincorrectly Attackdebugger

Detectingdebugger(1)

Debuggerusessystemservicetohandledebugevents

WindowsOSleavestracesinvariousplacesaboutthe existenceofdebugger

PEB::NtGlobalFlag PEB::BeingDebugged

WindowsOSevenprovidesomeAPIsforapplications (andformalware,too)tocheckifadebuggeris running

IsDebuggerPresent() CheckRemoteDebuggerPresent() NtQueryInformationProcess() NtQuerySystemInformation() NtQueryObject()

Detectingdebugger(2)

Debuggermodifymalware

Writesoftwarebreakpoints(0xCCinsn)intoprocess memory Malwarecanperformselfcheckingitscodetodetect theintegrityviolation

Detectingdebugger(3)

Debuggerisvisibleinthesamesystem

Detectthatadebuggerisinstalledinsystem Detectthatadebuggerisrunning

Lookforspecialprocesses,windowsofparticular debuggers Lookforspecialregistriesofparticulardebuggers Lookforspecialkerneldevicesusingbyparticular debuggers Etc...

Tamperwithdebugger

Tamperwithdebuggeroperationtomakeitwork incorrectly

Modifyhardwarebreakpointvalueifdebuggeruses hardwarebreakpoints Resetsoftwarebreakpoint(0xCCbyte)tooriginal value,sodebuggerisnottriggeredanymore Forex:terminatedebuggerwithTerminateProcess() function

Directlyattackdebugger

Demo

Detectingdebuggeriseasyandunfortunately, increasinglycomplicatedtechniquesare introduced

PeterFerrie,Antiunpackertricksseries1~9

andmoreisstillcoming:(

Attackandtamperwithdebuggeristrivial Unfortuanately,unfixable!!

Whytheseproblems?

Unfixabledebugger

Becausedebuggerisneverdesignedtoanalyze malwareinthefirstplace

Onlyforlegitimatesoftware,builtanddebuggedby developerstofindsoftwarebugs Developersneverwritesoftwaretodefeathis debugger:)

Unfortunately,malwaredoesthatwithlotsof sophisticatedtricks

Part II

Problemsofdebuggerinmalawareanalysis VirtICEsolution

Architecture,Design&Implementation Mainfeatures

Livedemo Discussions Conclusions Q&A

17

Ideastosolveproblems

Makethedebuggerinvisibletomalware

Malwarecannotseethedebugger Havingdebuggerinanotherprotectiondomain,so malwarecannotattackit

Putthedebuggeroutofthereachofmalware

VirtICEapproach

RunmalwareinsideVirtualMachine(VM)

Notintroduceanyproblem,becauseanalystalready usedVMformalwareanalysisthatforalongtime FinegraininstrumentguestVMtointerceptguest anytime/anywherewewantto OutofthereachofmalwarerunninginsideguestVM

Putthedebuggerinhypervisor/emulatorlayer

VirtICEarchitecture

Otherbenefits

Wholesystemview,sowholesystemanalysisis possbile Ring0code(rootkitsincluded)debuggingisbetter thananythingelseavailableoutthere!

Debuganywhereispossible

Fixtheunfixableproblems

VirtICEisinvisibletomalware

Debuggerusessystemservicefordebugging?

Notmore,becauseinstrumentationfrombottomcando evenprovidebettermechnismfordebugginganywhere Instrumentationnevermodifiesmalwareprocess Stayinemulatorlayer,andneverusesanyagentinside guest

Debuggermodifymalwareprocess?

Debuggerispresentinthesamedomainwithmalware?

VirtICEcannotbeattackedbymalware

GuaranteedbyVMdesign

VirtICErequirement

Understandguestcontextfromoutside InstrumentguestVMexecution

Soitispossibletosetbreakpoint,watchpoint,... anywhere Read/writetoVMmemory Read/writetoCPUcontext Pause,resumeVM

AccesstoVMcontext

ManageVM

Understandguestcontext

Mustbedonefromoutside,withoutanysupportof guestVM

VMinstrospectionproblem SeeSyscan'09,FrHack'09,HITB'09,DeepSec'09 EaglEyeframework

Leverageworksfromlastyear

ExtractOSsemanticobjectsfromVM'smemory SupportWindowsOS

EaglEyeFramework

GetaccesstoguestmemoryandCPUcontextfromhost

ProvidedbyKobutaframework(seelater)

RetrieveOSobjectsfromvirtual/physicalmemoryof guestVM

Focusonimportantobjects,especiallywhichusually exploitedbymalware

Networkports,connections Processes,DLL,registries,... Kernelmodules etc...

25

EaglEyearchitecture

26

Challenges

Retrievesemanticobjectsrequiresexcellentunderstandingon

OSinternals Locatetheobjects Actuallyretrieveobjectsanditsinternals

Howtheobjectsarestructured?

Structuresize? Structuremembers? Memberoffset? Membersize? ...

27

LocateOS'sobjects

Kernelmodules Processes/threads Systemhandles Openfiles Registries DLLs Networkconnections/ports Drivers,symboliclinks,...

28

Retrieveobjects'intenals

Mustunderstandobjectstructure

MightchangebetweenWindowsversions,orevenServicePack

struct _EPROCESS { KPROCESS Pcb; LARGE_INTEGER CreateTime; LARGE_INTEGER ExitTime; .... offset 0, size 0x6c offset 0x70, size 8 offset 0x78, size 8 offset 0x80, size 4 EX_PUSH_LOCK ProcessLock; offset 0x6c, size 4

EX_RUNDOWN_REF RundownProtect;

29

Currentsolutions?

Hardcodeallthepopularobjects,withoffsets&size ofpopularfields?

Doesbyeverybodyelse Butthisisfarfromgoodenough!

Limitedtoobjectsyouspecify Limitedtoonlytheoffsetsyouspecify

30

Adream...

Tobeabletoquerystructureofalltheobjects,withtheirfields

SupportallkindofOS,withdifferentversions

Ondemand,atruntime,withallkindofobjects Variousquestionsarepossible

Whatisthesizeofthisobject? Whatistheoffsetofthismemberfieldinthisobject? ...

31

...Comestrue:LibDI
Satisfyalltheaboverequests,andmakeyourdeam cometrue

Comeinashapeofanotherframework RelyonpublicinformationonOSobjects

OSindependence

WindowsandLinuxarewellsupportedsofar

HaveinformationindebuggingformatsDWARF,and extracttheirstructureoutatruntime

32

Windowsinternalsinformation

ReactOSfileheaderprototypes

Free&opentopublic(http://www.reactos.org) SupportWin2k3andup.

WindowsXPandpriorarenotsupported

33

SampleReactOScode
typedefstruct_EPROCESS{//removedsomefieldsforbrevity
#if(NTDDI_VERSION<NTDDI_WS03) FAST_MUTEXWorkingSetLock; #endif ULONGWorkingSetPage; #if(NTDDI_VERSION>=NTDDI_LONGHORN) EX_PUSH_LOCKAddressCreationLock; PETHREADRotateInProgress; #else KGUARDED_MUTEXAddressCreationLock; KSPIN_LOCKHyperSpaceLock; #endif }EPROCESS,*PEPROCESS;
34

Windowsobjects
CompileReactOSfileheaderprototypeswithdebugging information

Dynamicallyextractoutinformationfromobjectfiles
g++gwindows.cDNTDDI_XPSP3cowindows_XPSP3.o

35

WindowsobjectsProblems

ReactOSonlysupportsWin2k3andup

NeedtopatchReactOSheaderstosupportWinXPandprior versions

FromWindowsdebuggingsymbolsdata Patchsizeissmall WindowsVista,Windows2008

Fixincorrectandnotupdateddatastructures

PatchtosupportrecentWindowsOS,likeWindows7

36

SampleLibDIAPI
/*<libdi/di.h>*/ /*Getthestructsize,givenitsstructname*/ intdi_struct_size(di_th,char*struct_name); /*Getthesizeofafieldofastruct,givennamesofstructandmember.*/ intdi_member_size(di_th,char*struct_name,char*struct_member);
/*Gettheoffsetofafieldmemberofastruct*/

intdi_member_offset(di_th,char*struct_name,char*struct_member);

37

SamplecodeusingLibDI
#include<libdi/di.h> ... di_th; /*InitializeLibDItogetaLibDIhandle*/ di_open("windows_XPSP3.o",&h); /*retrievethesizeof_EPROCESS*/ ints1=di_struct_size(h,"_EPROCESS"); /*retrievethesizeof_EPROCESS::CreateTime*/ intm1=di_member_size(h,"_EPROCESS","CreateTime"); /*retrievetheoffsetof_EPROCESS::CreateTime*/ into1=di_member_offset(h,"_EPROCESS","CreateTime"); /*closewhenyouaredonewithLibDI*/ di_close(h);
38

EaglEye:retrieveobjects

SeparateAPIforeachkindofobjects DesignedsoitishardtobeabusedortamperedbyguestVM

Getfirstobjectinthelistofobjects

Usuallytheheadofobjectlistmustbelocated Orbyscanningthepoolmemory,orscanninginphysical memory

Usingpatternmatchingtechnique

Getnextobjects Onebyone,untilreachthelastobject

39

SampleEaglEyeAPI(1)
/*<eagleye/eagleye.h>*/ /*@task:outputvalue,pointedthethekernelmemorykeeptaskinfo*/

intee_get_task_first(ee_th,unsignedlong*task);
/*@task:outputvalue,pointedthethekernelmemorykeeptaskinfo*/

intee_get_task_next(ee_th,unsignedlong*task);
/*getthepointertotheprocessstruct,giventheprocess'spid.

intee_get_task_pid(ee_th,unsignedlongpid,unsignedlong*task);
/*getthefirstopendllfileofataskwithagivenprocessid. *onreturn,dllpointstotheuserspacememorythatkeepsdllinfo*/

intee_get_task_dll_first(ee_th,unsignedlongpid,unsignedlong*dll);
/*getthenextopendllfileofataskwithagivenprocessid.

intee_get_task_dll_next(ee_th,unsignedlong*dll);
40

SampleEaglEyeAPI(2)
/*<eagleye/windows.h>*/ /*getprocessimagefilename,givenitsEPROCESSaddress*/

intwindows_task_imagename(ee_th,unsignedlongeprocess,char*name, unsignedintcount);
/*getprocessid,givenitsEPROCESSaddress*/

intwindows_task_pid(ee_th,unsignedlongeprocess,unsignedlong*pid);
/*getparentprocessid,givenitsEPROCESSaddress*/

intwindows_task_ppid(ee_th,unsignedlongeprocess,unsignedlong *ppid);
/*getprocesscmdline,givenitsEPROCESSaddress*/

intwindows_task_cmdline(ee_th,unsignedlongeprocess,char*cmdline, unsignedintcount);
41

EaglEyearchitecture

42

VirtICEdesign

ChooseVMforVirtICE

Opensource,socustomizable(thereforeVMWareis notsuitable)

Xen?KVM? VirtualBox? Bochs? Qemu?

0.12.4version

VirtICEarchitecture

InstrumentguestVM

Kobutaframework

Genericinstrumentationframework

NotonlyforVirtICE,butotherinternalprojects Puthooksatrightplacestocallouttoexternal instrumentationhandlers Moduleprovidesexternalinstrumentationhandlerstobe executedwhencalledfromKobutahooks

Instrumentbinarytranslationprocess

SupportdynamicloadedmodulebuiltontopofKobuta

InstrumentguestVMChallenges

Originally,QEMUprovidesnosupportfor instrumentation

Weareonourown,andhavetobuildKobuta instrumentationframeworkfromscratch

QEMUusesJustintime(JIT)compilertoperform binarytranslation

Translatedcodeissaved,andisnottranslatedagainif availableincache

Wehavetodigdeeplyintothetranslationprocessof QEMUtoprovideinstrumentalhooks

QEMUJITcompiler

TranslateguestcodetoTCGIntermediateRepresentative(IR), thentranslateTCGIRtonative(host)codetoexecuteonhost Thetranslatedcodeiscachedtobereused(toimprove performance) Translationisdoneoncodeblockbasis Toimproveperformance,fullCPUcontext(registers,segments, CR*,...)isonlysavedattheendofeachtranslatedblock

SoCPUcontextisonlyguaranteedtobesynchronizedat beginingofeachblock Atmiddleofablock,CPUcontextisoutofsynch

WehavetosynchronizeCPUcontextourselveswhenneeded Onx86,onlyEFLAGSvalueisoutofsync

Instrumentationhooks

InstrumentationisatTCGIRlevel(aftertargetcodeistranslated toTCGIR)

Thisisrequiredduetotranslatedcodeiscachedforfuture reference

Atallcost,avoidputtingstatichooksintoarchitecturerelated code,sosupportingallarchitecturecanbedoneuniversally

Instructionlevelinstrumentationisexception Architecturespecificinstrumentationisalsoexception

UpdateCR0/2/3/4,RDMSR,WRMSR, SYSENTER/SYSEXIT

Makesureperformanceoverheadisminimizedwhenno instrumentationhookisregistered

SampleKobutainstrumentation
/*targeti386/op_helper.c*/ voidhelper_sysenter(void) {.... if(kobuta_ins_sysenter){ /*SYSENTERhookhasbeenregistered?*/

/*ThenisitnecessarytosynchronizeCPUcontext?*/ if(kobuta_ins_sysenter_cpusync==KOBUTA_CPUSYNC_ENABLE) kobuta_syn_cpucontext(); /*SynchronizeCPUcontextondemand*/

kobuta_sysenter();/*Finally,executeallregisteredhandlersforSYSENTER*/ }... }

Kobutaframework

Hookingvariousplacesusefulforgenericpurposes Finegraininstrumentation

Begin/endofinstruction/block Jump/callinsn Interruptbegin/end Sysenter/Sysexit/Syscall/Sysret Input/Outputinsn Updatecontrolregisters(CR0,CR2,CR3,CR4) RDMSR,WRMSR(read/writetoModelSpecificRegister) Memoryaccess(read/write)

Performancechallenge

VanillaQEMUisquiteslow AccelerateQEMUwithKQEMU

Softwarebasedsolutiontorunmostinstructionsdirectly onCPU DynamicallyenableanddisablewithKobutalayer

TurnonKQEMUwhentherenobodyregisteresfor Kobuta TurnoffKQEMUwheninstrumentationisrequired Hadtoforwardportto0.12.4

SupportdroppedfromQEMU0.12.0version

Kobutamodule

NeedtoregisterwithKobutaframeworkforinterested instrumentationevents

Thenprovideinstrumentationhandlersforthoseevents HandlersbeexecutedwheneventshappeninguestVM

Leverageexportedfunctions(fromKobutaframework) tomanageguestVM

PauseandResumeVMondemand ReadandwritetoVM'smemory(physical&virtual memory)andCPUcontext Dynamicallyenable/disableinstrumentationhooks

Kobutamodule

DesignKobutamoduletobejustaDynamicLinked module

.sofileinLinux,.DLLfileinWindows LoadableintoQemuprocess,andsupportedbyOS services EasytoimplementyourKobutamodule(justa normalDLmodulerunninginhostOS)

ManageKobutamodule

ManageKobutamodules

ExtendQEMUwithnewcommandkmodule AllowunlimitednumberofKobutamodulestobeloadedatthesame time Reloadingmodulewithdifferentparameterissupported

LoadmoduleintoQemuprocess

SimplyusingDLLserviceprovidedbyhostOS

dlopen()inLinux,LoadLibrary()inWindows

Loadmodulewithastringparameter
AlsouseDLLserviceofhostOS

UnloadmodulefromQemuprocess

dlclose()inLinux

Buthowaboutcode(instrumentationhandlers)stillrunning?

UnloadingKobutamodule

UsereferencecounterforKobutainstrumentation handlers

Associateeachhandlerwitharefcounter Increasecounterbeforerunningahandler,anddecrease itwhendone Onlyrunahanlderwhenitsmoduleisinenablestate HaveamanagethreadtounloadKobutamodule

Firstly,putthemoduleindisablestate Signalthemoduletointerruptitself Periodicallycheckingforrefcounter,andunloadmodule whenrefcount=0

Exportfunctions(1)

KobutamoduleneedstomanageguestVM

Pause&resumetheguest AccesstoguestmemoryandCPUcontext Registerinstrumentationhooksandinstrumentation handlerswithKobutaframework ButallthesefunctionsstaydeeplyinsideQEMUand Kobutalayer

NeedtoexportthemoutforexternalKobutamoduleto use

Exportfunctions(2)

TwowaystoexportthesefunctionsfromQEMU/Kobuta toexternalmodules

RefactorQEMUcodetoexportrequiredfunctionsouttoan externalDLLlibrary

ThesameDLLlibcanbelinkedtobothQEMUandKobuta module Complicatedduetotoomuchcodeneededtoberefactored

SelectivelyexportsneededfunctionpointerstoKobuta module

TransferthesepointerstoKobutamodulewhenexternal modulewhenloadingit Extremelyeasytoimplement,andrequireminimum modifycationtoQEMU

Exportedfunctions(3)
/*kobuta.h*/ structkobuta_ins{ kobuta_cpu_tcpu_read; kobuta_cpu_tcpu_write; /*readCPUcontext*/ /*modifyCPUcontext*/

kobuta_pmem_rw_tmem_rw;/*physicalmemoryread/write*/ uint64_tram_size; /*memorysizeofguestVM*/ /*findphysicaladdressofavirtualaddress*/ /*requesttopauseguestVM*/ /*requesttoresumeguestVM*/

kobuta_virt2phys_tv2p; kobuta_vm_tvm_pause; kobuta_vm_tvm_resume;

kobuta_manager_tevent_manager;/*manageinstrumentationhooks*/ intunload();/*request(fromKobutalayer)tounloadthismodule*/ };

Exportedfunctions(4)
enumkobuta_handler_reg_t{ KOBUTA_HANDLER_INSTALL,KOBUTA_HANDLER_DELETE,... }; enumkobuta_cpusync_t{ KOBUTA_CPUSYNC_DISABLE=0,KOBUTA_CPUSYNC_ENABLE,... }; enumkobuta_event_t{ KOBUTA_EVENT_JMPCALL,KOBUTA_EVENT_INSN_BEGIN, KOBUTA_EVENT_INSN_END,KOBUTA_EVENT_SYSENTER, KOBUTA_EVENT_MEM_READ,KOBUTA_EVENT_MEM_WRITE,.... };

typedefvoid(*kobuta_manager_t)(enumkobuta_handler_reg_treg, enumkobuta_event_tevent,enumkobuta_cpusync_tsync, void*func);

SampleofKobutamodule
staticvoidsysenter(void) { } intk_module_init(structkobuta_ins*ins,constchar*args) {... ins>event_manager(KOBUTA_HANDLER_INSTALL, KOBUTA_EVENT_SYSENTER,KOBUTA_CPUSYNC_DISABLE,sysenter); ... } intk_module_exit(void) { return0; }

VirtICEdebuggerdesign

AVirtICEserver:aKobutamodule

Registerrelatedinstrumentationhooks(ondemand)

JmpCall(tointerceptfunctioncall) Begin/endinsn(forsinglesteppurpose) Begin/endinterrupts(tointerceptsyscallsthruInt2E) Sysenter/sysexit(tointerceptsyscalls) Memoryaccessevents(tointerceptmemoryreadandwrite)

LeverageEaglEyeframeworktoaccesstoobjectsinguest memory Simplefrontendtosendrequestandreceiveresultsfrom VirtICEmodule

AVirtICEclient

VirtICEarchitecture

HandlingrequestforVirtICE

Haveaseparatethreadtohandleexternalcommandsfrom VirtICEclient

TCPprotocol Receivecommandsfromclient

Builtinprotocolforexchangingdatabetweenmoduleclient Debuggingcommands(disasm,breakpoints,watchpoints, singlestep,etc) MonitoringVMstatus Read/writeCPUcontextandmemory RunVMintosinglestepmode Enableinstrumentationsondemand

UsingexportedfunctionsfromKobutatomanageVM

VirtICEgenericcommands

InspectmalwareprocessrunninginsideVM

pe:PEfileanalyzing view:Viewmemoryinhex/stringformat dump:Dumpmemoryout(physicalorprocessorkernel) write:Writetomemory search:Searching(patternmatching,regex,...) ps/pstree:Processes dlls:DLLs,registry:Registries,files:Openfiles,vad:VADs kmod:Kernelmodules address:Attributesofamemoryaddress connection:Opennetworkconnections,socket:opensockets disasm:Disassemblememoryrange register:Viewalltheregisters
64

VirtICEdebugcommands

Setexecutionbreakpoint:dbs<address>

Setsyscallbreakpoint

Setmemorywatchpoint:dbm<address>c<count>t<R|W|A> Singlestep:dbs Stepover:dbO RununtilRET:dbR Disassemble PauseguestVM:dbC|Ctrl+C ResumeguestVM:dbr

VirtICEadvancedfeatures

Malwarebehaviormonitoring

APImonitoring:dbM<filename>

PopularWindowsAPIs(withsemanticarguments)

Kernel32,User32,GDI32,AdvApi32,WS2_32,Shell32, OLE32,... File,Registry,Http,Keylogger,Process,Service,Code injection,...

MalwarerelatedAPImonitoring

Syscallmonitoring(withsemanticarguments)

dbY[filename|ALL|NULL]

Reportantidebuggingtechniquesusedbymalware

dbA Focusonmostpopulartrickssofar

Demo

Part IV

Problemsofdebuggerinmalawareanalysis VirtICEsolution

Architecture,Design&Implementation Mainfeatures

Livedemo Discussions Conclusions Q&A

68

AntiVirtICE

DetectingVirtICE?

Timingattackbasedondelayexecutionintroducedby theKobutainstrumentationframework Timingdebuggerdelayusingexternalclock

Everybodysuffers,notonlyus! Wefixtheproblemwithinternalclock,however

AttackVirtICE?

Notpossiblebydesignduetostrongisolationbetween guestandemulator Outofscopeofthisresearch Everybodysuffers,too:)

69

Antivirtualizationmalware?

FutureplanDevelopment

Improvebinaryanalysis

Moresemanticinformation GUI?

Unpackingtool(inprogress) Taintanalysistool(inprogress) Improveperformance

UsingKVMtospeedupevenfurther

Evencurrently,KQEMUisnottoobad,either

Replayabledebugger

Soreplaydebugprocessispossible TakesnapshotofmemoryandHDDandrollback

Conclusions

VirtICEisanewdebuggerthatcanfixmost problemsofcurrentdebuggersagainstmalware

LeverageVMtechnology Invisible(mostly)againstmalware Tamperresistantagainstmalware Providerichfunctionalityformalwareanalysis

References

PeterFerrie[VIRUSBULLETIN]

AntiUnpackertricks(series) TowardsanUnderstandingofAntivirtualizationandAnti debuggingBehaviorinModernMalware PresentedinBHUS'10(yesterday) TEMUframeworktargetstaintinganalysis

XuChen[NDSS08]

BitBlazeproject

NotagenericinstrumentationframeworklikeKobuta BasedonoldversionofQEMU(0.9)withverydifferentJIT engine

VirtICE:nextgenerationdebugger formalwareanalysis

Q&A
NGUYENAnhQuynh<aquynh@gmail.com> KuniyasuSUZAKI<k.suzaki@aist.go.jp>