Wednesday 30 September 15:00 - 15:30, Red room
Michał Leszczyński (CERT Polska)
Krzysztof Stopczański (CERT Polska (Former))
During this talk, we will present DRAKVUF, an open-source blackbox binary analysis system. This project leverages Virtual Machine Introspection and Xen’s altp2m in order to serve its purpose in a very stealthy manner. We will describe our recent contributions to the project, including Windows API tracing and heuristic malware unpacking. Moreover, we will present how this approach can be used to extract configuration from malware samples. In addition, we would like to present some unique challenges that can be encountered when developing hypervisor-level monitors.
Virtual Machine Introspection is a technique used to determine the runtime state of a virtual machine. It may be employed on the host side, without any explicit interaction that would be visible to the inspected guest system.
Xen’s altp2m is a memory-management layer that leverages Intel Extended Page Tables in such a way that a single virtual machine may have multiple machine-to-physical pagetables that could be quickly swapped in runtime. This feature makes it possible to create an efficient, external monitoring system.
The proposed malware monitor works in clean, unmodified environments, without any changes to the target guest system. This distinguishes it from typical user (or kernel) level monitors that need to run their code inside the monitored VM. On the other hand, hypervisor level monitor can easily play with kernel mode, but not with higher abstraction layers. This is due to the semantic gap that is not easy to overcome. During the presentation, we will show a few tricks that may be leveraged in order to understand what is happening in user mode.
Michal Leszczyński
|
|
Krzysztof Stopczański Krzysztof Stopczański is a former member of the CERT Polska Team, where his main duties were related to malware analysis and sandbox development. Contributor to the open-source DRAKVUF black-box binary analysis system. He also plays a lot of CTFs together with the p4 team, where he specializes in finding errors in web applications. |
Eugene Rodionov (Google)
Richard Neal (Google)
Lin Chen (Google)