Virtual Machine Introspection in Malware Analysis – Use Case

To determine the behavior of a piece of malware, we will develop a script (based on LibVMI functions) that will allow us to trace the Kernel APIs executed by a malware and their arguments.

1. Preparation

After choosing the domain name of the machine, create the file containing the dictionary and determine the malware file name to be scanned.

The following command is launched from the hypervisor:

./monitor_api w6164-1 /tmp/w6164-1.json malware.exe

This script will take several entries as argument:

  • w6164-1: The domain name of the virtual machine under Xen
  • /tmp/w6164-1.json: The file containing the functions/structures and the corresponding offsets
  • malware.exe: The malware we want to analyze

Below is the code allowing the initialization of our system of introspection:

// Create altp2m view that will altered with breakpoints
...
xc_altp2m_set_domain_state(xch, domain_id, 1);
...
xc_altp2m_create_view(xch, domain_id, 0, &shadow_view);
...

2. Breakpoints Insertion

We first define the APIs we want to monitor. Take, for example, the following three APIs:

  • NtCreateFile: Allows file creation/opening
  • NtSetValueKey: Create or replace the value of a registry key
  • NtDelayExecution: Delays execution (this API is executed when the Sleep API call is made from user mode). It can be used as an evasion technique

For more information on these APIs, you can refer to the MSDN documentation.

Afterwards, we insert the breakpoints in the altp2m view for each API.

// Add breakpoints on the monitored APIs in the altp2m view
...
xc_altp2m_set_domain_state(xch, domain_id, 1); uint8_t trap = 0xcc;
vmi_write_8_pa(vmi, (shadow << 12) + shadow_offset, &trap);
...

3. Callbacks Initialization

In this example, we will rely on three types of callbacks that we will initialize.

3.1. Interrupt Events Callback

This callback is triggered each time a breakpoint is trapped. It will retrieve the desired information through the function process_event (). This function will allow to (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Youness Zougar. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/ktABjs18_oE/