Title :
Re-inforced stealth breakpoints
Author_Institution :
CyLab, Carnegie Mellon Univ., Pittsburgh, PA, USA
Abstract :
This paper extends VAMPiRE, a stealth breakpoint framework specifically tailored for microscopic malware analysis. Stealth breakpoints are designed to provide unlimited number of code, data and I/O breakpoints that cannot be detected or countered. However, in this paper we present several attacks that can be used to detect and counter VAMPiRE. We then present a solution towards preventing such attacks in the form of a new breakpoint framework named Galanus. Galanus also adds support for legacy I/O breakpoints in kernel-mode, an important feature required to analyze keyloggers, BIOS flashers, CMOS updaters and rootkits. We also evaluate Galanus, comparing it to VAMPiRE in the context of a few real-world malware.
Keywords :
invasive software; software engineering; BIOS flashers; CMOS updaters; Galanus; I/O breakpoints; VAMPiRE; kernel mode; keyloggers; microscopic malware analysis; reinforced stealth breakpoints; rootkits; Counting circuits; Emulation; Hardware; Ice; Microscopy; Performance analysis; Registers; Runtime; Software debugging; Debugging; Malware Analysis; Stealth Breakpoints;
Conference_Titel :
Risks and Security of Internet and Systems (CRiSIS), 2009 Fourth International Conference on
Conference_Location :
Toulouse
Print_ISBN :
978-1-4244-4498-4
Electronic_ISBN :
2151-4763
DOI :
10.1109/CRISIS.2009.5411978
