Virtual Machine Introspection in Malware Analysis – API Monitoring

LibVMI allows you to manipulate the memory, but in any case, it allows you to directly analyze malware behavior. In order to take advantage of LibVMI’s introspection system, it will be necessary for us to develop our own system to analyze malware based on the APIs provided by LibVMI.

In this article, we will focus on the monitoring of Windows Kernel APIs in order to trace the behavior of the malware. To determine the APIs to be monitored, it will be necessary to use the Rekall (Forensics framework) feature. This will allow us to download the .pdb file corresponding to the version of the Windows Kernel of the virtual machine, with the aim of recovering the offsets corresponding to the Kernel API. Finally, it will create a JSON file containing the names of the APIs or Windows structures and the corresponding offsets.

Below is an extract from the generated JSON file:

...

"NtCreateEnlistment": 3100512,

"NtCreateEvent": 3403920,

"NtCreateEventPair": 4530944,

"NtCreateFile": 3662112,

...

To the offsets, we add the Kernel base address to find the addresses in the memory of the Kernel APIs.

LibVMI provides different ways to monitor and interact from the hypervisor with the virtual machine memory.

Sponsorships Available

Sponsorships Available

Sponsorships Available

Monitoring via Breakpoints

The idea is here to place breakpoints (often used in reverse-engineering) on ​​the APIs that we want to monitor in the virtual machine during the initialization of the introspection system, while maintaining a lookup table of offsets of breakpoints placed and bytes modified. After the installation and launch of the introspection system, the malware calling the APIs on which we have placed breakpoints will be interrupted and a notification will be sent back to the hypervisor allowing us to find which executable has reached the breakpoint. Once the desired information (function name, its arguments) is recovered, we continue the execution of the (Read more...)