Name
Abstract | ||
|---|---|---|
The authors of malware attempt to frustrate reverse engineering and analysis by creating programs that crash or otherwise behave differently when executed on an emulated platform than when executed on real hardware. In order to defeat such techniques and facilitate automatic and semi-automatic dynamic analysis of malware, we propose an automated technique to dynamically modify the execution of a whole-system emulator to fool a malware sample's anti-emulation checks. Our approach uses a scalable trace matching algorithm to locate the point where emulated execution diverges, and then compares the states of the reference system and the emulator to create a dynamic state modification that repairs the difference. We evaluate our technique by building an implementation into an emulator used for in-depth malware analysis. On case studies that include real samples of malware collected in the wild and an attack that has not yet been exploited, our tool automatically ameliorates the malware sample's anti-emulation checks to enable analysis, and its modifications are robust to system changes. |
Year | DOI | Venue |
|---|---|---|
2009 | 10.1145/1655148.1655151 | Proceedings of the 1st ACM workshop on Virtual machine security |
Keywords | DocType | Citations |
virtualization,automated technique,real hardware,in-depth malware analysis,malware analysis,malware attempt,execution diverges,dynamic analysis,whole-system emulator,emulation,anti-emulation check,dynamic state modification,semi-automatic dynamic analysis,emulation-resistant malware,malware sample,reverse engineering | Conference | 28 |
PageRank | References | Authors |
1.48 | 21 | 5 |
Name | Order | Citations | PageRank |
|---|---|---|---|
| Min Gyung Kang | 1 | 497 | 17.99 |
| Heng Yin | 2 | 2153 | 111.33 |
| Steve Hanna | 3 | 1261 | 67.87 |
| Stephen McCamant | 4 | 1638 | 74.34 |
| Dawn Song | 5 | 7084 | 442.36 |