Thursday 25 September 16:30 - 17:00, Red room.
Martin Hron AVAST Software
Jakub Jermář AVAST Software
download slides (PDF)
SafeMachine is a modular dynamic instrumentation framework designed specifically with malware analysis in mind. We use it regularly to instrument tens of thousands of malware and clean samples that live in our virus laboratory. However, we do not confine this technology solely to the artificial lab environment. Every day, SafeMachine also helps to protect the computers of over 100 million active avast! 2014 (v.9) users. In this talk, we compare our solution to the other well-known instrumentation frameworks, Pin and DynamoRIO, and point out their emulation deficiencies - explaining why they are not currently a perfect fit for automated malware analysis. We show several test cases on which these frameworks behave incorrectly and deviate from native behaviour. We also present and compare the emulation abilities of all three frameworks on our large real-world malware and clean sets. Finally, we cover several solutions to problems such as proper handling of self-modifying code, exceptions, guest virtual memory and segment registers, and avoiding interference with the guest stack.