Saved in:
Bibliographic Details
Main Authors: Karvandi, Mohammad Sina, Meghdadizanjani, Soroush, Arasteh, Sima, Monfared, Saleh Khalaj, Fallah, Mohammad K., Gorgin, Saeid, Lee, Jeong-A, van der Kouwe, Erik
Format: Preprint
Published: 2024
Subjects:
Online Access:https://arxiv.org/abs/2405.00298
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866914778625081344
author Karvandi, Mohammad Sina
Meghdadizanjani, Soroush
Arasteh, Sima
Monfared, Saleh Khalaj
Fallah, Mohammad K.
Gorgin, Saeid
Lee, Jeong-A
van der Kouwe, Erik
author_facet Karvandi, Mohammad Sina
Meghdadizanjani, Soroush
Arasteh, Sima
Monfared, Saleh Khalaj
Fallah, Mohammad K.
Gorgin, Saeid
Lee, Jeong-A
van der Kouwe, Erik
contents Existing anti-malware software and reverse engineering toolkits struggle with stealthy sub-OS rootkits due to limitations of run-time kernel-level monitoring. A malicious kernel-level driver can bypass OS-level anti-virus mechanisms easily. Although static analysis of such malware is possible, obfuscation and packing techniques complicate offline analysis. Moreover, current dynamic analyzers suffer from virtualization performance overhead and create detectable traces that allow modern malware to evade them. To address these issues, we present \textit{The Reversing Machine} (TRM), a new hypervisor-based memory introspection design for reverse engineering, reconstructing memory offsets, and fingerprinting evasive and obfuscated user-level and kernel-level malware. TRM proposes two novel techniques that enable efficient and transparent analysis of evasive malware: hooking a binary using suspended process creation for hypervisor-based memory introspection, and leveraging Mode-Based Execution Control (MBEC) to detect user/kernel mode transitions and memory access patterns. Unlike existing malware detection environments, TRM can extract full memory traces in user and kernel spaces and hook the entire target memory map to reconstruct arrays, structures within the operating system, and possible rootkits. We perform TRM-assisted reverse engineering of kernel-level structures and show that it can speed up manual reverse engineering by 75\% on average. We obfuscate known malware with the latest packing tools and successfully perform similarity detection. Furthermore, we demonstrate a real-world attack by deploying a modified rootkit onto a driver that bypasses state-of-the-art security auditing tools. We show that TRM can detect each threat and that, out of 24 state-of-the-art AV solutions, only TRM can detect the most advanced threats.
format Preprint
id arxiv_https___arxiv_org_abs_2405_00298
institution arXiv
publishDate 2024
record_format arxiv
spellingShingle The Reversing Machine: Reconstructing Memory Assumptions
Karvandi, Mohammad Sina
Meghdadizanjani, Soroush
Arasteh, Sima
Monfared, Saleh Khalaj
Fallah, Mohammad K.
Gorgin, Saeid
Lee, Jeong-A
van der Kouwe, Erik
Cryptography and Security
Existing anti-malware software and reverse engineering toolkits struggle with stealthy sub-OS rootkits due to limitations of run-time kernel-level monitoring. A malicious kernel-level driver can bypass OS-level anti-virus mechanisms easily. Although static analysis of such malware is possible, obfuscation and packing techniques complicate offline analysis. Moreover, current dynamic analyzers suffer from virtualization performance overhead and create detectable traces that allow modern malware to evade them. To address these issues, we present \textit{The Reversing Machine} (TRM), a new hypervisor-based memory introspection design for reverse engineering, reconstructing memory offsets, and fingerprinting evasive and obfuscated user-level and kernel-level malware. TRM proposes two novel techniques that enable efficient and transparent analysis of evasive malware: hooking a binary using suspended process creation for hypervisor-based memory introspection, and leveraging Mode-Based Execution Control (MBEC) to detect user/kernel mode transitions and memory access patterns. Unlike existing malware detection environments, TRM can extract full memory traces in user and kernel spaces and hook the entire target memory map to reconstruct arrays, structures within the operating system, and possible rootkits. We perform TRM-assisted reverse engineering of kernel-level structures and show that it can speed up manual reverse engineering by 75\% on average. We obfuscate known malware with the latest packing tools and successfully perform similarity detection. Furthermore, we demonstrate a real-world attack by deploying a modified rootkit onto a driver that bypasses state-of-the-art security auditing tools. We show that TRM can detect each threat and that, out of 24 state-of-the-art AV solutions, only TRM can detect the most advanced threats.
title The Reversing Machine: Reconstructing Memory Assumptions
topic Cryptography and Security
url https://arxiv.org/abs/2405.00298