dAnubis – Dynamic Device Driver Analysis Based on Virtual Machine Introspection

Neugschwandtner, Matthias; Platzer, Christian; Comparetti, Paolo Milani; Bayer, Ulrich

doi:10.1007/978-3-642-14215-4_3

Cited by 20 publications

(14 citation statements)

References 16 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…The Anubis driver reports to a usermode application, which communicates with the analysis component over a virtual network. The Anubis extension dAnubis [23] patches the kernel functions that load kernelmode modules. The patched functions then notify dAnubis when kernel-mode malware is loaded.…”

Section: Inside-vs Outside-the-guest Vmimentioning

confidence: 99%

“…An example kernel-only analysis is the Anubis extension dAnubis [23]. It is notified whenever malware is loaded into kernel memory.…”

Section: Scope: Single-domain Vs Whole-systemmentioning

confidence: 99%

“…We are not aware of any current outside-the-guest VMI kernel-only analysis systems. But dAnubis is a well-known in-guest VMI kernelonly system [23].…”

Section: Misleading Kernel-only Analysismentioning

confidence: 99%

See 2 more Smart Citations

Mixed-Mode Malware and Its Analysis

Aboughadareh

Csallner

Azarmi

2014

Proceedings of the 4th Program Protection and Reverse Engineering Workshop

View full text Add to dashboard Cite

Mixed-mode malware contains user-mode and kernel-mode components that are interdependent. Such malware exhibits its main malicious payload only after it succeeds at corrupting the OS kernel. Such malware may further actively attack or subvert malware analysis components. Current malware analysis techniques are not effective against mixedmode malware. To overcome the limitations of current techniques, we present an approach that combines whole-system analysis with outside-the-guest virtual machine introspection. We implement this approach in the SEMU tool for Windows. In our experiments SEMU could successfully analyze several mixed-mode malware samples that evade current analysis approaches. The runtime overhead of SEMU is in line with the most closely related dynamic analysis tools TEMU and Ether.

show abstract

Section: Inside-vs Outside-the-guest Vmimentioning

confidence: 99%

“…An example kernel-only analysis is the Anubis extension dAnubis [23]. It is notified whenever malware is loaded into kernel memory.…”

Section: Scope: Single-domain Vs Whole-systemmentioning

confidence: 99%

See 1 more Smart Citation

Mixed-Mode Malware and Its Analysis

Aboughadareh

Csallner

Azarmi

2014

Proceedings of the 4th Program Protection and Reverse Engineering Workshop

View full text Add to dashboard Cite

show abstract

“…Neugschwandtner et al propose dAnubis [13], which dynamically analyzes malicious MS Windows device drivers. It includes integrity checking of drivers by placing them under supervision.…”

Section: Related Workmentioning

confidence: 99%

ModChecker: Kernel Module Integrity Checking in the Cloud Environment

Ahmed

Zoranic

Javaid

et al. 2012

2012 41st International Conference on Parallel Processing Workshops

View full text Add to dashboard Cite

Kernel modules are an integral part of most operating systems (OS) as they provide flexible ways of adding new functionalities (such as file system or hardware support) to the kernel without the need to recompile or reload the entire kernel. Aside from providing an interface between the user and the hardware, these modules maintain system security and reliability. Malicious kernel level exploits (e.g. code injections) provide a gateway to a system's privileged level where the attacker has access to an entire system. Such attacks may be detected by performing code integrity checks. Several commodity operating systems (such as Linux variants and MS Windows) maintain signatures of different pieces of kernel code in a database for code integrity checking purposes. However, it quickly becomes cumbersome and time consuming to maintain a database of legitimate dynamic changes in the code, such as regular module updates. In this paper we present ModChecker, which checks in-memory kernel modules' code integrity in real time without maintaining a database of hashes. Our solution applies to virtual environments that have multiple virtual machines (VMs) running the same version of the operating system, an environment commonly found in large cloud servers. ModChecker compares kernel module among a pool of VMs within a cloud. We thoroughly evaluate the effectiveness and runtime performance of ModChecker and conclude that ModChecker is able to detect any change in a kernel module's headers and executable content with minimal or no impact on the guest operating systems' performance.

show abstract

“…dAnubis [14] is the technique suggested for VM introspection from outside of it. This method is the successor of Anubis and exclusively monitors Windows device drivers and kernel behaviour.…”

Section: I/o Introspectionmentioning

confidence: 99%

Virtual machine introspection: towards bridging the semantic gap

Tapaswi

2014

J Cloud Comp

View full text Add to dashboard Cite

Virtual machine introspection is a technique used to inspect and analyse the code running on a given virtual machine. Virtual machine introspection has gained considerable attention in the field of computer security research. In recent years, it has been applied in various areas, ranging from intrusion detection and malware analysis to complete cloud monitoring platforms. A survey of existing virtual machine introspection tools is necessary to address various possible research gaps and to focus on key features required for wide application of virtual machine introspection techniques. In this paper, we focus on the evolution of virtual machine introspection tools and their ability to address the semantic gap problem.

show abstract

dAnubis – Dynamic Device Driver Analysis Based on Virtual Machine Introspection

Cited by 20 publications

References 16 publications

Mixed-Mode Malware and Its Analysis

Mixed-Mode Malware and Its Analysis

ModChecker: Kernel Module Integrity Checking in the Cloud Environment

Virtual machine introspection: towards bridging the semantic gap

Contact Info

Product

Resources

About