Saved in:
Bibliographic Details
Main Authors: Long, Zhangbo, Sha, Letian, Pan, Jiaye, Huang, Haiping, Xu, Dongpeng, Huang, Yifei, Xiao, Fu
Format: Preprint
Published: 2025
Subjects:
Online Access:https://arxiv.org/abs/2512.22043
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866915769490604032
author Long, Zhangbo
Sha, Letian
Pan, Jiaye
Huang, Haiping
Xu, Dongpeng
Huang, Yifei
Xiao, Fu
author_facet Long, Zhangbo
Sha, Letian
Pan, Jiaye
Huang, Haiping
Xu, Dongpeng
Huang, Yifei
Xiao, Fu
contents Binary program analysis represents a fundamental pillar of modern system security. Fine-grained methodologies like dynamic taint analysis still suffer from deployment complexity and performance overhead despite significant progress. Traditional in-process analysis tools trigger severe \textbf{address-space conflicts} that inevitably disrupt the native memory layout of the target. These conflicts frequently cause layout-sensitive exploits and evasive malware to deviate from their intended execution paths or fail entirely. This paper introduces \textbf{HALF} as a novel framework that resolves this fundamental tension while ensuring both analysis fidelity and practical performance. HALF achieves high-fidelity address-space transparency by leveraging a kernel-assisted process hollowing mechanism. This design effectively eliminates the observation artifacts that characterize traditional instrumentation tools. We further mitigate the synchronization latency of decoupled execution by implementing an exception-driven strategy via a lightweight kernel monitor. Extensive evaluation of a Windows-based prototype demonstrates that HALF maintains superior performance compared to conventional in-process baselines. HALF also provides unique capabilities for deconstructing complex, stealthy threats where existing frameworks fail to maintain execution integrity.
format Preprint
id arxiv_https___arxiv_org_abs_2512_22043
institution arXiv
publishDate 2025
record_format arxiv
spellingShingle HALF: Hollowing Analysis Framework for Binary Programs with Kernel Module Assistance
Long, Zhangbo
Sha, Letian
Pan, Jiaye
Huang, Haiping
Xu, Dongpeng
Huang, Yifei
Xiao, Fu
Software Engineering
Binary program analysis represents a fundamental pillar of modern system security. Fine-grained methodologies like dynamic taint analysis still suffer from deployment complexity and performance overhead despite significant progress. Traditional in-process analysis tools trigger severe \textbf{address-space conflicts} that inevitably disrupt the native memory layout of the target. These conflicts frequently cause layout-sensitive exploits and evasive malware to deviate from their intended execution paths or fail entirely. This paper introduces \textbf{HALF} as a novel framework that resolves this fundamental tension while ensuring both analysis fidelity and practical performance. HALF achieves high-fidelity address-space transparency by leveraging a kernel-assisted process hollowing mechanism. This design effectively eliminates the observation artifacts that characterize traditional instrumentation tools. We further mitigate the synchronization latency of decoupled execution by implementing an exception-driven strategy via a lightweight kernel monitor. Extensive evaluation of a Windows-based prototype demonstrates that HALF maintains superior performance compared to conventional in-process baselines. HALF also provides unique capabilities for deconstructing complex, stealthy threats where existing frameworks fail to maintain execution integrity.
title HALF: Hollowing Analysis Framework for Binary Programs with Kernel Module Assistance
topic Software Engineering
url https://arxiv.org/abs/2512.22043