SPiKE: engineering malware analysis tools using unobtrusive binary-instrumentation
作者: Ramesh Yerraballi , Amit Vasudevan
DOI:
关键词:
摘要: Malware -- a generic term that encompasses viruses, trojans, spywares and other intrusive code is widespread today. analysis multi-step process providing insight into malware structure functionality, facilitating the development of an antidote. Behavior monitoring, important step in process, used to observe interaction with respect system achieved by employing dynamic coarse-grained binary-instrumentation on target system. However, current research involving binary-instrumentation, categorized probe-based just-in-time compilation (JIT), fail context malware. Probe-based schemes are not transparent. Most if all sensitive modification incorporating methods prevent their even instrument themselves for functionality stealthness. Current JIT schemes, though transparent, do support multithreading, self-modifying and/or self-checking (SM-SC) unable capture running kernel-mode. Also, they overkill terms latency instrumentation.To address this problem, we have developed new framework codenamed SPiKE, aids construction powerful tools combat becoming increasingly hard analyze. Our goal provide unobtrusive, portable, efficient, easy-to-use reusable, supporting multithreading SM-SC code, both user- In paper, discuss concept unobtrusive present design, implementation evaluation SPiKE. We also illustrate utility describing our experience tool SPiKE analyze real world
crpit.com
acm.org 参考文章(16)
Karim Yaghmour, Michel R. Dagenais, Measuring and characterizing system behavior using kernel-level event logging usenix annual technical conference. pp. 2- 2 ,(2000)
Bryan M. Cantrill, Adam H. Leventhal, Michael W. Shapiro, Dynamic instrumentation of production systems usenix annual technical conference. pp. 2- 2 ,(2004)
Nicholas Nethercote, Julian Seward, Valgrind: A Program Supervision Framework Electronic Notes in Theoretical Computer Science. ,vol. 89, pp. 44- 66 ,(2003) , 10.1016/S1571-0661(04)81042-9
Galen Hunt, Doug Brubacher, Detours: binary interception of Win32 functions conference on usenix windows nt symposium. pp. 14- 14 ,(1999)
Richard J. Moore, A Universal Dynamic Trace for Linux and Other Operating Systems usenix annual technical conference. pp. 297- 308 ,(2001)
Alec Wolman, Dennis Lee, Geoff Voelker, Wayne Wong, Brad Chen, Ted Romer, Hank Levy, Brian Bershad, Instrumentation and optimization of Win32/intel executables using Etch usenix windows nt workshop. pp. 1- 1 ,(1997)
James R. Larus, Eric Schnarr, EEL Proceedings of the ACM SIGPLAN 1995 conference on Programming language design and implementation - PLDI '95. ,vol. 30, pp. 291- 300 ,(1995) , 10.1145/207110.207163
Amitabh Srivastava, Alan Eustace, ATOM: a system for building customized program analysis tools programming language design and implementation. ,vol. 39, pp. 196- 205 ,(1994) , 10.1145/178243.178260
M. L. Soffa, J. W. Davidson, B. Childers, K. Scott, N. Kumar, S. Velusamy, Retargetable and reconfigurable software dynamic translation symposium on code generation and optimization. pp. 36- 47 ,(2003) , 10.5555/776261.776265
Chi-Keung Luk, Robert Cohn, Robert Muth, Harish Patil, Artur Klauser, Geoff Lowney, Steven Wallace, Vijay Janapa Reddi, Kim Hazelwood, Pin: building customized program analysis tools with dynamic instrumentation programming language design and implementation. ,vol. 40, pp. 190- 200 ,(2005) , 10.1145/1064978.1065034