In the malware realm designing transparent sandboxes is only one part of the story. When analysts intervene to understand structure and functional capabilities of complex samples, a good deal of their time is wasted in disarming piles of anti-analysis techniques.
To neutralize a slew of new and old tricks in this talk, I present BluePill, a dynamic analysis framework that fools a sample into believing it is executing loosely while being instead under the scalpel of an analyst. Unlike recent proposals, BluePill can operate alongside classic tools from an analyst's arsenal, hiding their presence to the sample.
BluePill hooks evasive queries and adversarial sequences (like environment fingerprinting attempts and anti-debugging patterns) altering what the sample sees of the system. It also fast-forwards time to address time-based evasions and stalling strategies. Analysts can debug a sample via GDB remote protocol and benefit from a new technique that hides performed code edits from anti-tampering schemes. Finally, BluePill offers taint tracking capabilities useful to dissect behaviors such as evasions.
Designed around analysts, BluePill lets them customize its hooks and add new ones using insight from the dissection, which is especially useful for targeted malware and new tricks. Also, it is immune from semantic gaps. In this talk, I will show how BluePill can defeat tricks from recent evasive samples and executable protectors, making it possible to dissect them on a standard VirtualBox installation alongside classic analysis tools.