Shabnam Aboughadareh, Christoph Csallner, M. Azarmi
{"title":"Mixed-Mode Malware and Its Analysis","authors":"Shabnam Aboughadareh, Christoph Csallner, M. Azarmi","doi":"10.1145/2689702.2689703","DOIUrl":null,"url":null,"abstract":"Mixed-mode malware contains user-mode and kernel-mode components that are interdependent. Such malware exhibits its main malicious payload only after it succeeds at corrupting the OS kernel. Such malware may further actively attack or subvert malware analysis components. Current malware analysis techniques are not effective against mixed-mode malware. To overcome the limitations of current techniques, we present an approach that combines whole-system analysis with outside-the-guest virtual machine introspection. We implement this approach in the SEMU tool for Windows. In our experiments SEMU could successfully analyze several mixed-mode malware samples that evade current analysis approaches. The runtime overhead of SEMU is in line with the most closely related dynamic analysis tools TEMU and Ether.","PeriodicalId":308663,"journal":{"name":"Proceedings of the 4th Program Protection and Reverse Engineering Workshop","volume":"3 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2014-12-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"3","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 4th Program Protection and Reverse Engineering Workshop","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/2689702.2689703","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 3
Abstract
Mixed-mode malware contains user-mode and kernel-mode components that are interdependent. Such malware exhibits its main malicious payload only after it succeeds at corrupting the OS kernel. Such malware may further actively attack or subvert malware analysis components. Current malware analysis techniques are not effective against mixed-mode malware. To overcome the limitations of current techniques, we present an approach that combines whole-system analysis with outside-the-guest virtual machine introspection. We implement this approach in the SEMU tool for Windows. In our experiments SEMU could successfully analyze several mixed-mode malware samples that evade current analysis approaches. The runtime overhead of SEMU is in line with the most closely related dynamic analysis tools TEMU and Ether.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
