Stealth breakpoints
A Vasudevan, R Yerraballi - 21st Annual Computer Security …, 2005 - ieeexplore.ieee.org
A Vasudevan, R Yerraballi
21st Annual Computer Security Applications Conference (ACSAC'05), 2005•ieeexplore.ieee.orgMicroscopic analysis of malicious code (malware) requires the aid of a variety of powerful
tools. Chief among them is a debugger that enables runtime binary analysis at an instruction
level. One of the important services provided by a debugger is the ability to stop execution of
code at an arbitrary point during runtime, using breakpoints. Software breakpoints support
an unlimited number of breakpoint locations by changing the code being debugged so that it
can be interrupted during runtime. Most, if not all, malware are very sensitive to code …
tools. Chief among them is a debugger that enables runtime binary analysis at an instruction
level. One of the important services provided by a debugger is the ability to stop execution of
code at an arbitrary point during runtime, using breakpoints. Software breakpoints support
an unlimited number of breakpoint locations by changing the code being debugged so that it
can be interrupted during runtime. Most, if not all, malware are very sensitive to code …
Microscopic analysis of malicious code (malware) requires the aid of a variety of powerful tools. Chief among them is a debugger that enables runtime binary analysis at an instruction level. One of the important services provided by a debugger is the ability to stop execution of code at an arbitrary point during runtime, using breakpoints. Software breakpoints support an unlimited number of breakpoint locations by changing the code being debugged so that it can be interrupted during runtime. Most, if not all, malware are very sensitive to code modification with self-modifying and/or self-checking (SM-SC) capabilities, rendering the use of software breakpoints limited in their scope. Hardware breakpoints supported by the underlying processor, on the other hand, use a subset of the processor register set and exception mechanisms to provide breakpoints that do not entail code modification. This makes hardware breakpoints the most powerful breakpoint mechanism for malware analysis. However, current processors provide a very limited number of hardware breakpoints (typically 2-4 locations). Thus, a serious restriction is imposed on the debugger to set a desired number of breakpoints without resorting to the limited alternative of software breakpoints. Also, with the ever evolving nature of malware, there are techniques being employed that prevent the use of hardware breakpoints. This calls for a new breakpoint mechanism that retains the features of hardware breakpoints while providing an unlimited number of breakpoints, which cannot be detected or countered. In this paper, we present the concept of stealth breakpoints and discuss the design and implementation of VAMPiRE, a realization of this concept. VAMPiRE cannot be detected or countered and provides unlimited number of breakpoints to be set on code, data, and I/O with the same precision as that of hardware breakpoints. It does so by employing a subtle combination of simple stealth techniques using virtual memory and hardware single-stepping mechanisms that are available on all processors, old and new. This technique makes VAMPiRE portable to any architecture, providing powerful breakpoint ability similar to hardware breakpoints for microscopic malware analysis
ieeexplore.ieee.org