| Abstract |
An instruction trace is the sequence of instructions executed when running a program. Instruction traces have a large number of applications in malware analysis. Examples of such applications are detection of self-modifying code, automated unpacking, code-similarity analysis, reverse engineering of cryptographic code, vulnerability analysis, etc. It is thus not astonishing that we have recently seen considerable interest in instruction traces in the malware research community. Accordingly, there already exists a range of instruction tracers such as Ether, Temu and Pin. An ideal tracer will be efficient (support analysis of large numbers of malware), transparent (hard to detect and evade), and portable to different versions of the Windows operating system and shall run on virtual and physical machines. None of the current tracers features all of these properties. We have developed a novel tracer dubbed "Helios", which overcomes these limitations. To this end Helios uses several advanced and novel techniques. Our talk will first introduce to the topic of tracing and its applications, followed by a detailed discussion of Helios. In particular, we will demonstrate Joedoc a novel tool for detecting exploits in documents (e.g. PDFs) which is based on instruction traces.
|
top
