rVMI: A New Paradigm for Full System Analysis

Black Hat USA 2017

Presented by: Jonas Pfoh, Sebastian Vogl
Date: Thursday July 27, 2017
Time: 09:45 - 10:35
Location: Mandalay Bay CD

Debuggers can play a valuable role in dynamic malware analysis, but these tools fall short in many areas for an obvious reason: their primary objective is debugging and not analyzing malware. Modern malware uses a variety of anti-analysis and anti-debugging techniques that actively exploit this reality. Techniques range from the simple use of APIs and breakpoint detection to sophisticated multi-stage/multi-process architectures. Such malware exploits the fact that debuggers are best suited for single-process analysis and run within the same environment as the sample, which makes them vulnerable to detection and evasion.

These shortcomings require a paradigm that supports full-system analysis and remains completely isolated from the target environment, while maintaining the flexible and interactive nature of a debugger. Virtual machine introspection (VMI) provides isolation as well as the inspection and interposition features required to support full-system analysis. By making VMI accessible to a fully scriptable environment, one can achieve an interactive full system analysis engine.

To address this need, we present rVMI, a system that combines VMI and Rekall (a powerful memory forensics framework) to provide a platform for scriptable and interactive malware analysis. rVMI operates from the hypervisor on a live system with the ability to start, resume, and trap events at will. With this complete control over the target environment, an analyst can debug any number of processes or the kernel with the same level of ease in a manner that is completely invisible to the target. Analysis can be conducted from an interactive shell or through scripts. In either case the analyst has access to the entire arsenal that Rekall provides, which allows her to enumerate processes, inspect kernel data structures, access process address spaces, etc. As rVMI exports a python interface it can easily be extended with any external tool that supports python.

Jonas Pfoh

Jonas Pfoh is currently a Staff Software Engineer at FireEye where he is responsible for the research and development of out-of-guest detection mechanisms. Previously, he was a Post-doc at the Technical University of Munich where he also received his PhD in 2013. His research interests lie primarily in the fields of virtualization, operating systems, and novel malware and exploitation techniques. Jonas has contributed to many published works in these areas including publications in USENIX and NDSS conference proceedings.

Sebastian Vogl

Sebastian Vogl is a Senior Software Engineer at FireEye. His work is focused on the development of novel malware detection techniques. Formerly, Sebastian worked as a security researcher at the Technical University of Munich where he obtained his PhD in 2015. In his research, Sebastian explores malware and exploitation techniques as well as virtual machine introspection and its application to system security. He presented his work at various renowned academic conferences including USENIX and NDSS.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats