Stealth Loader: Trace-Free Program Loading for API Obfuscation

Kawakoya, Yuhei; Shioji, Eitaro; Otsuki, Yuto; Yada, Takeshi

doi:10.1007/978-3-319-66332-6_10

Cited by 7 publications

(10 citation statements)

References 8 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Stealth Loader was introduced by Kawakoya et al [26] for evading existing static and dynamic analysis tools. It is a program loader that loads Windows system DLLs such as kernel32.dll or ntdll.dll without leaving any trace to be detected.…”

Section: Hook Evasionmentioning

confidence: 99%

“…The purpose of this experiment is to show the feasibility of API Chaser against state-of-the-art evasion techniques including those introduced in academic studies. For that purpose, we collected proof-of-concept (PoC) codes of the following techniques, Process Hollowing [29], [31], AtomBombing [7], [30], PowerLoaderEx [6], Shim-based DLL Injection [40], and Stealth Loader [26]. Then, we generated synthetic malware samples based on the PoC codes and analyzed them with API Chaser.…”

Section: Synthetic Malware Experimentsmentioning

confidence: 99%

“…However, since malware developers are now familiar with malware analysis techniques, they embed anti-analysis functions into their malware to evade API monitoring [6], [7], [26], [29], [30], [31], [40], [49], [56]. Various anti-analysis techniques that evade API monitoring have currently been adopted in malware in the wild.…”

Section: Introductionmentioning

confidence: 99%

“…We also evaluated API Chaser with several synthetic malware, in which state-of-the-art evasive techniques were implemented. The experimental results show that API Chaser is sufficiently robust against new emerging techniques such as Process Hollowing [29], AtomBombing [30], PowerLoaderEx [6], Shim-based DLL Injection [40], and Stealth Loader [26].…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

API Chaser: Taint-Assisted Sandbox for Evasive Malware Analysis

Kawakoya¹,

Shioji²,

Miyoshi³

2019

Journal of Information Processing

Self Cite

View full text Add to dashboard Cite

We propose a design and implementation for an Application Programming Interface (API) monitoring system called API Chaser, which is resistant to evasion-type anti-analysis techniques, e.g., stolen code and code injection. The core technique in API Chaser is code tainting, which enables us to identify precisely the execution of monitored instructions by propagating three types of taint tags added to the codes of API, malware, and benign executables, respectively. Additionally, we introduce taint-based control transfer interception, which is a technique to capture precisely API calls invoked from evasive malware. We evaluate API Chaser based on several real-world and synthetic malware to demonstrate the accuracy of our API hooking technique. We also perform a large-scale malware experiment by analyzing 8,897 malware samples to show the practical capability of API Chaser. These experimental results show that 701 out of 8,897 malware samples employ hook evasion techniques to hide specific API calls, while 344 malware ones use target evasion techniques to hide the source of API calls.

show abstract

Section: Hook Evasionmentioning

confidence: 99%

Section: Synthetic Malware Experimentsmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

API Chaser: Taint-Assisted Sandbox for Evasive Malware Analysis

Kawakoya¹,

Shioji²,

Miyoshi³

2019

Journal of Information Processing

Self Cite

View full text Add to dashboard Cite

show abstract

“…These techniques are used to obfuscate the positions of placed APIs by making copies of them. DLL Unlinking [16] and Stealth Loader [12] are examples of DLL position obfuscation techniques. These techniques obfuscate the locations of loaded DLLs by hiding data structures containing their metadata.…”

Section: Introductionmentioning

confidence: 99%

Taint-assisted IAT Reconstruction against Position Obfuscation

Kawakoya¹,

Miyoshi²

2018

Journal of Information Processing

Self Cite

View full text Add to dashboard Cite

Windows Application Programming Interface (API) is an important data source for analysts to effectively understand the functions of malware. Due to this, malware authors are likely to hide the imported APIs in their malware by taking advantage of various obfuscation techniques. In this paper, we first build a formal model of the Import Address Table (IAT) reconstruction procedure to keep our description independent of specific implementations and then formally point out that the current IAT reconstruction is vulnerable to position obfuscation techniques, which are anti-analysis techniques obfuscating the positions of loaded APIs or Dynamic Link Libraries (DLLs). Next, we introduce an approach for API name resolution, which is an essential step in IAT reconstruction, on the basis of taint analysis to defeat position obfuscation techniques. The key idea of our approach is that we first define taint tags, each of which has a unique value for each API, apply the taint of the API to each of its instructions, track the movement of the API instructions by propagating the tags, and then resolve API names from the propagated tags for IAT reconstruction after acquiring a memory dump of the process under analysis. Finally, we experimentally demonstrate that a system in which our proposed API name resolution has been implemented enables us to correctly identify imported APIs even when malware authors apply various position obfuscation techniques to their malware.

show abstract