Abstract
Malware analysis is a task of utmost importance in cyber-security. Two approaches exist for malware analysis: static and dynamic. Modern malware uses an abundance of techniques to evade both dynamic and static analysis tools. Current dynamic analysis solutions either make modifications to the running malware or use a higher privilege component that does the actual analysis. The former can be easily detected by sophisticated malware while the latter often induces a significant performance overhead. We propose a method that performs malware analysis within the context of the OS itself. Furthermore, the analysis component is camouflaged by a hypervisor, which makes it completely transparent to the running OS and its applications. The evaluation of the system’s efficiency suggests that the induced performance overhead is negligible.
Highlights
IntroductionMalware, refers to a program that is intended to cause damage to the host computer
Malicious software, or malware, refers to a program that is intended to cause damage to the host computer
Two basic approaches exist for malware analysis: The first involves static analysis techniques, while the second involves dynamic analysis techniques (Gandotra et al 2014; Saeed et al 2013)
Summary
Malware, refers to a program that is intended to cause damage to the host computer. A possible approach for mapping the monitoring component into the address space of the guest OS is by directly modifying the OS page tables (the upper kernel part). This method is intrusive and may cause system instabilities (for example, in Windows 10, we observed that the Memory Management Unit of Windows generates a BSOD on such attempts). The hypervisor hooks the original system call handler such that it calls the monitoring component (which is mapped into the address space of the guest OS). The hypervisor protects the monitoring component from both modification and detection, as described in “Security and transparency” section
Sign-in/Register to view highlights & summary Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
