Sciweavers

Share
DIMVA
2010

dAnubis - Dynamic Device Driver Analysis Based on Virtual Machine Introspection

9 years 4 months ago
dAnubis - Dynamic Device Driver Analysis Based on Virtual Machine Introspection
Abstract. In the escalating arms race between malicious code and security tools designed to analyze it, detect it or mitigate its impact, malicious code running inside the operating system kernel provides an extremely powerful tool. Kernel-level code can introduce hard to detect backdoors, provide stealth by hiding files, processes or other resources and in general tamper with operating system code and data in arbitrary ways. Under Windows, kernel-level malicious code typically takes the form of a device driver. In this work, we present dAnubis, a system for the realtime, dynamic analysis of malicious Windows device drivers. dAnubis can automatically provide a high-level, human-readable report of a driver's behavior on the system. We applied our system to a dataset of over 400 malware samples. The results of this analysis shed some light on the behavior of kernel-level malicious code that is in the wild today.
Matthias Neugschwandtner, Christian Platzer, Paolo
Added 06 Dec 2010
Updated 06 Dec 2010
Type Conference
Year 2010
Where DIMVA
Authors Matthias Neugschwandtner, Christian Platzer, Paolo Milani Comparetti, Ulrich Bayer
Comments (0)
books