Masters Theses

Abstract

"Software security researchers commonly reverse engineer and analyze current malicious software (malware) to determine what the latest techniques malicious attackers are utilizing and how to protect computer systems from attack. The most common analysis methods involve examining how the program behaves during execution and interpreting its machine-level instructions. However, modern malicious applications use advanced anti-debugger, anti-virtualization, and code packing techniques to obfuscate the malware's true activities and divert security analysts. Malware analysts currently do not have a simple method for tracing malicious code activity at the instruction-level in a highly undetectable environment. There also lacks a simple method for combining actual run-time register and memory values with statically disassembled code. Combining statically disassembled code with the run-time values found in the memory and registers being accessed would create a new level of analysis possible by combining key aspects of static analysis with dynamic analysis. This thesis presents EtherAnnotate, a new extension to the Xen Ether virtualization framework and the IDA Pro disassembler to aid in the task of malicious software analysis. This new extension consists of two separate components - an enhanced instruction tracer and a graphical annotation and visualization plug-in for IDA Pro. The specialized instruction tracer places a malware binary into a virtualized environment and records the contents of all processor general register values that occur during its execution. The annotation plug-in for IDA Pro interprets the output of the instruction tracer and adds line comments of the register values in addition to visualizing code coverage of all disassembled instructions that were executed during the malware's execution. These two tools can be combined to provide a new level of introspection for advanced malware that was not available with the previous state-of-the-art analysis tools"--Abstract, page iii.

Advisor(s)

Miller, Ann K.

Committee Member(s)

Tauritz, Daniel R.
McMillin, Bruce M.

Department(s)

Computer Science

Degree Name

M.S. in Computer Science

Publisher

Missouri University of Science and Technology

Publication Date

Spring 2010

Pagination

ix, 69 pages

Note about bibliography

Includes bibliographical references.

Rights

© 2010 Joshua Michael Eads, All rights reserved.

Document Type

Thesis - Open Access

File Type

text

Language

English

Library of Congress Subject Headings

Computer security -- Computer programs
Malware (Computer software)
Reverse engineering -- Computer programs
Virtual computer systems

Thesis Number

T 9608

Print OCLC #

678585476

Electronic OCLC #

611152286

Share

 
COinS