DSD Tracer - implementation and experimentation

Boris Lau Sophos

  download slides (PDF)

Modern malware analysis is shifting towards dynamic behavioural analysis to assist static analysis in combating the increasing volume and complexity of samples. However, information between these two stages are not closely integrated, illustrated by the division of debugger and disassembler seen in many professional reverse engineering environments. Consequently collating and comparing low-level information between multiple samples, which is important for grouping/generic detection, is often difficult.

This paper will discuss a hybrid platform-independent framework - DSD Tracer. DSD Tracer is a way to collect low-level Dynamic analysis information (first D in DSD), such as a full assembly trace of sample(s) which could then be fed into various Static analysers (S in DSD) which automate the processing of huge amounts of information generated from the D step. To explore the full behaviour of a sample, one could re-execute the program under modified test states/environments and repeat the above cycle (and hence the recursive acronym of DSD).

A demonstration of DSD Tracer will be implemented using instrumentation of Virtual Machines. The algorithms used to analyse the output will be illustrated with graphical interfaces, such as the ability to backwards/forwards play dynamic assembly trace with multiple samples, to explore its advantage over traditional analysis tools for consolidating information derived from Dynamic and Static analysis.


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.