DocumentCode
2330604
Title
Stealthy Profiling and Debugging of Malware Trampolining from User to Kernel Space
Author
Raber, Jason
Author_Institution
Cyber Res. Lab., Riverside Res., Beavercreek, OH, USA
fYear
2011
fDate
17-20 Oct. 2011
Firstpage
431
Lastpage
432
Abstract
A reverse engineer trying to understand protected malware binaries is faced with avoiding detection by antidebugging protections. Advanced protection systems may even load specialized drivers that can re-flash firmware and change the privileges of running applications, significantly increasing the penalty of detection. Hades is a Windows kernel driver designed to aid reverse engineering endeavors. It avoids detection by employing intelligent instrumentation via instruction rerouting in both user and kernel space. This technique allows a reverse engineer to easily debug and profile binaries without fear of invoking protection penalties.
Keywords
invasive software; program debugging; reverse engineering; Hades; Windows kernel driver; antidebugging protection; instruction rerouting; intelligent instrumentation; malware; reverse engineering; stealthy profiling; Aerospace electronics; Debugging; Instruments; Kernel; Malware; Registers; Reverse engineering; Kernel driver; anti-debugging; cyber; function hooking; reverse engineering;
fLanguage
English
Publisher
ieee
Conference_Titel
Reverse Engineering (WCRE), 2011 18th Working Conference on
Conference_Location
Limerick
ISSN
1095-1350
Print_ISBN
978-1-4577-1948-6
Type
conf
DOI
10.1109/WCRE.2011.62
Filename
6079873
Link To Document