핵심 개념
TRM, a novel hypervisor-based framework, enables efficient and transparent reverse engineering and malware analysis by reconstructing memory layouts, detecting transitions between user and kernel modes, and generating comprehensive memory access traces for signature-based detection of sophisticated, evasive malware.
초록
The paper presents TRM, a hypervisor-based framework for reverse engineering and malware analysis. TRM leverages hardware-assisted virtualization features to provide comprehensive memory introspection capabilities, enabling it to overcome the limitations of existing approaches.
Key highlights:
- TRM employs a multi-layer EPT layout and Mode-Based Execution Control (MBEC) to efficiently intercept and filter memory accesses, allowing it to generate detailed memory traces with minimal performance overhead.
- TRM's memory layout reconstruction module can recover entry points, calling conventions, memory allocations, and memory offsets in data structures, even for highly obfuscated and evasive malware.
- The memory analyzer module in TRM enables various analysis tasks, including detecting long-range data dependencies, finding similarities across different compilers and architectures, and identifying source code modifications.
- TRM is evaluated against state-of-the-art evasive malware and demonstrates its ability to detect threats that evade commercial antivirus solutions.
Overall, TRM provides a comprehensive solution for reverse engineering and malware analysis, addressing the challenges posed by modern, stealthy kernel-level rootkits and user-mode malware.