Presented at
REcon 2010,
July 11, 2010, 2 p.m.
(60 minutes).
dirtbox is an attempt to implement a highly scalable x86/Windows emulator that can be both used for simple malware detection and detailed behavior analysis reports. Instead of emulating every single x86 instruction in software, malware instructions are executed directly on the host CPU in a per basic block fashion. A disassembling run on each basic block ensures that no privileged or control flow subverting instructions are executed. The notion of virtual memory that is separated from the emulators memory is employed by special LDT segments and switching segment selectors before executing guest instructions. The operating system is emulated at the syscall layer. While this layer is mostly undocumented and implementing it in an accurate fashion is a challenging task on its own, the fact that no register changes are leaked from Ring 0 thwarts a lot of detection techniques. For usage of the high-level APIs, corresponding libraries are directly mapped into the virtual memory as well. Detection mechanisms such as: - Examination of the ecx register after a SEH protected API call
- Stolen bytes from an API library implementation
- Direct reads and writes from PEB or other static locations or libraries are supported automatically
Presenters:
-
Georg Wicherski
Georg is a Virus Analyst at Kaspersky Lab, researching and developing new prototypes for upcoming A/V technologies. He is a member of the Honeynet Project and his last public project was mwcollectd v4, a low interaction malware collection honeypot. Other interests include general low level fun, such as (advanced ;) ) binary exploitation; network development and high-performance async I/O coding; beer & women. He is an undergraduate student at RWTH Aachen University.
Links:
Similar Presentations: