Malware Analysis Platform Based on Secondary Development of Xen

• Published in: Applied Mechanics and Materials Vol. 530-531; no. Advances in Measurements and Information Technologies; pp. 865 - 868
• Main Authors: Bai, Jin Rong, Zou, Guo Zhong, Mu, Shi Guang
• Format: Journal Article
• Language: English
• Published: Zurich Trans Tech Publications Ltd 01.02.2014
• Subjects: API; Evolution; Malware; Operating systems; Platforms; Running; Software engineering; Tracers; Xen; Information Security; Malware Analysis; Native API
• ISBN: 3038350397; 9783038350392
• ISSN: 1660-9336; 1662-7482; 1662-7482
• DOI: 10.4028/www.scientific.net/AMM.530-531.865

The API calls reflect the functional levels of a program, analysis of the API calls would lead to an understanding of the behavior of the malware. Malware analysis environment has been widely used, but some malware already have the anti-virtual, anti-debugging and anti-tracking ability with the evolution of the malware. These analysis environments use a combination of API hooking and/or API virtualization, which are detectable by malware running at the same privilege level. In this work, we develop the fully automated platform to trace the native API calls based on secondary development of Xen and have obtained the most transparent and similar system to a Windows OS as possible in order to obtain an execution trace of a program as if it was run in an environment with no tracer present. In contrast to other approaches, the hardware-assisted nature of our approach implicitly avoids many shortcomings that arise from incomplete or inaccurate system emulation.