A new open-source hypervisor-level malware monitoring and extraction system - current state and further challenges

Wednesday 30 September 15:00 - 15:30, Red room

Michał Leszczyński (CERT Polska)
Krzysztof Stopczański (CERT Polska (Former))



During this talk, we will present DRAKVUF, an open-source blackbox binary analysis system. This project leverages Virtual Machine Introspection and Xen’s altp2m in order to serve its purpose in a very stealthy manner. We will describe our recent contributions to the project, including Windows API tracing and heuristic malware unpacking. Moreover, we will present how this approach can be used to extract configuration from malware samples. In addition, we would like to present some unique challenges that can be encountered when developing hypervisor-level monitors.

Virtual Machine Introspection is a technique used to determine the runtime state of a virtual machine. It may be employed on the host side, without any explicit interaction that would be visible to the inspected guest system.

Xen’s altp2m is a memory-management layer that leverages Intel Extended Page Tables in such a way that a single virtual machine may have multiple machine-to-physical pagetables that could be quickly swapped in runtime. This feature makes it possible to create an efficient, external monitoring system.

The proposed malware monitor works in clean, unmodified environments, without any changes to the target guest system. This distinguishes it from typical user (or kernel) level monitors that need to run their code inside the monitored VM. On the other hand, hypervisor level monitor can easily play with kernel mode, but not with higher abstraction layers. This is due to the semantic gap that is not easy to overcome. During the presentation, we will show a few tricks that may be leveraged in order to understand what is happening in user mode.

 

 

Michal Leszczyński

Michal Leszczyński works at CERT Polska where his main duties are related to the development of a custom infrastructure for malware analysis. Contributor to the DRAKVUF project. He also does some DevOps or x86 reverse engineering from time to time. Previously specialized in web security & development. Still fascinated by the number of ways the Internet can be broken.

 
  Krzysztof Stopczański

Krzysztof Stopczański is a former member of the CERT Polska Team, where his main duties were related to malware analysis and sandbox development. Contributor to the open-source DRAKVUF black-box binary analysis system. He also plays a lot of CTFs together with the p4 team, where he specializes in finding errors in web applications.


Back to VB2020 Programme page

Other VB2020 papers

The (f)utility of indicators

Gabriela Nicolao (Deloitte)
Brenden Conrad (Deloitte)

TBA

VB2020 closing

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.