"egg" - A Stealth fine grained code analyzer

Presented at REcon 2011, July 8, 2011, 3 p.m. (30 minutes).

In this presentation, I introduce a dynamic malware analyzer called "egg" and its implementation. Especially I focus on its taint tracing feature that takes novel approach. It is able to trace malware context in whole system from ring-0 and eliminate any other noise information.

Most monitoring tools, such as ProcessMonitor and various other hook-based tools, work only under user-mode, and their analysis ability is coarse grained, limited to the level of API calling, which is too coarse for intensive analyses. On the other hand, more innovative projects like Ether and BitBlaze offer fine grained analysis, but depend on well-known virtual environments. Malware often detects these environments, and changes its own behavior accordingly.

That's the motivation for the fine grained code analysis tool I've developed, called "egg". The egg performs dynamic code analysis at the instruction level and works under ring0, and so does not depend on any virtual environments. It can monitor API calls, generate internal and external function call graphs, record branch information, and can also detect specified arbitrary instructions (e.g. move to cr0). Egg also includes taint tracing, limiting the analysis scope to tainted regions only. Therefore the egg can eliminate the noise of internal API calls from 'proper' APIs.

These features work for both user-mode and kernel-mode. It's highly stealthy, and is useful for malware analysis including for rootkits and packed samples.


Presenters:

Links: