BluePill: Neutralizing Anti-Analysis Behavior in Malware Dissection

Presented at Black Hat Europe 2019, Dec. 4, 2019, 12:10 p.m. (25 minutes).

In the malware realm designing transparent sandboxes is only one part of the story. When analysts intervene to understand structure and functional capabilities of complex samples, a good deal of their time is wasted in disarming piles of anti-analysis techniques.

To neutralize a slew of new and old tricks in this talk, I present BluePill, a dynamic analysis framework that fools a sample into believing it is executing loosely while being instead under the scalpel of an analyst. Unlike recent proposals, BluePill can operate alongside classic tools from an analyst's arsenal, hiding their presence to the sample.

BluePill hooks evasive queries and adversarial sequences (like environment fingerprinting attempts and anti-debugging patterns) altering what the sample sees of the system. It also fast-forwards time to address time-based evasions and stalling strategies. Analysts can debug a sample via GDB remote protocol and benefit from a new technique that hides performed code edits from anti-tampering schemes. Finally, BluePill offers taint tracking capabilities useful to dissect behaviors such as evasions.

Designed around analysts, BluePill lets them customize its hooks and add new ones using insight from the dissection, which is especially useful for targeted malware and new tricks. Also, it is immune from semantic gaps. In this talk, I will show how BluePill can defeat tricks from recent evasive samples and executable protectors, making it possible to dissect them on a standard VirtualBox installation alongside classic analysis tools.


Presenters:

  • Daniele Cono D'Elia - Postdoctoral researcher, Sapienza University of Rome
    Daniele Cono D'Elia is a postdoctoral researcher at Sapienza University of Rome. His research interests lie at the intersection of programming languages and software security. He currently plays with malware analysis, code reuse techniques, and code obfuscation. In a past life, he tackled program optimization problems, working with profilers and low-overhead program analyses, dynamic compilers for managed runtimes, and code transformations.

Links:

Similar Presentations: