Home How To LO-PHI: Low-Observable Physical Host Instrumentation for Malware Analysis

LO-PHI: Low-Observable Physical Host Instrumentation for Malware Analysis

0
0
639

Dynamic-analysis techniques have become the linchpins of modern malware analysis. However, software-based methods have been shown to expose numerous artifacts, which can either be detected and subverted, or potentially interfere with the analysis altogether, making their results untrustworthy. The need for less-intrusive methods of analysis has led many researchers to utilize introspection in place of instrumenting the software itself. While most current introspection technologies have focused on virtual-machine introspection, we present a novel system, LO-PHI, which is capable of physical-machine introspection of both non-volatile and volatile memory, i.e., hard disk and system memory. We demonstrate that we are able to provide analysis capabilities comparable to existing solutions, whilst exposing zero software-based artifacts and minimal hardware artifacts. To demonstrate the usefulness of our system, we have developed a framework for performing automated binary analysis. We employ this framework to analyze numerous potentially malicious binaries using both traditional virtual-machine introspection and our new hardware-based instrumentation. Our results show that not only is our analysis on-par with existing software-based counterparts, but that our physical instrumentation is capable of successfully analyzing far more binaries, as it is not foiled by popular anti-analysis techniques.

lo-phi-low-observable-physical-host-instrumentation-malware-analysis
Load More Related Articles
  • C2 Hunting

    Here is the latest post by Jack Crook (@jackcr) in which he discusses detecting and/or hun…
  • How to perform AWS Cloud Forensics

    Here is a nice overview of EC2 instances volume and memory acquisition process, plus some …
  • Forensic Review with Notepad++

    In this post Hoyt Harness writes about how to add Plugin Manager to Notepad++ and make it …
Load More In How To

Leave a Reply

Your email address will not be published. Required fields are marked *