VABox: A Virtualization-Based Analysis Framework of Virtualization-Obfuscated Packed Executables

Abstract

AbstractIn the process of malware analysis, information such as the API call sequences and opcodes of malwares is extremely valuable feature, but a large number of malware writers abuse various anti-reverse technologies to hide malware information. In order to protect these malwares, they usually use virtualization, obfuscation, packing, and anti-debugging techniques. These protections hinder the acquisition of malware information, making the reverse analysis and detection of malware more difficult. In this paper, we propose VABox: an executable software analysis framework based on virtualization technology. It monitor the packed and virtualization-obfuscated applications and kernel modules, and is difficult to be discovered by malware. 1) Compared with the emulator, its execution speed is faster and it can also provide the detailed virus running information, including the running opcode, completing the API call information and the shellcode information. 2) Compared with traditional sandbox, it can supply a more realistic operating environment for malware, greatly reducing the possibility of being detected by malware. 3) Compared with previous work, it can obtain cleaner and more accurate sample data. 4) In addition, VABox also provides developers with opportunities to dump memory, obtain and modify contextual information. We verified the effectiveness of VABox by testing kernel Rootkit and UPX packed applications protected by VMProtect 3.4 on Windows platform. Experimental results show that our tool can accurately and completely capture information such as the API call sequences and parameters of executable files.KeywordsVirtualizationObfuscation techniquesSoftware securityReverse engineeringAPI monitor