Masters Theses
Abstract
"Software security researchers commonly reverse engineer and analyze current malicious software (malware) to determine what the latest techniques malicious attackers are utilizing and how to protect computer systems from attack. The most common analysis methods involve examining how the program behaves during execution and interpreting its machine-level instructions. However, modern malicious applications use advanced anti-debugger, anti-virtualization, and code packing techniques to obfuscate the malware's true activities and divert security analysts. Malware analysts currently do not have a simple method for tracing malicious code activity at the instruction-level in a highly undetectable environment. There also lacks a simple method for combining actual run-time register and memory values with statically disassembled code. Combining statically disassembled code with the run-time values found in the memory and registers being accessed would create a new level of analysis possible by combining key aspects of static analysis with dynamic analysis. This thesis presents EtherAnnotate, a new extension to the Xen Ether virtualization framework and the IDA Pro disassembler to aid in the task of malicious software analysis. This new extension consists of two separate components - an enhanced instruction tracer and a graphical annotation and visualization plug-in for IDA Pro. The specialized instruction tracer places a malware binary into a virtualized environment and records the contents of all processor general register values that occur during its execution. The annotation plug-in for IDA Pro interprets the output of the instruction tracer and adds line comments of the register values in addition to visualizing code coverage of all disassembled instructions that were executed during the malware's execution. These two tools can be combined to provide a new level of introspection for advanced malware that was not available with the previous state-of-the-art analysis tools"--Abstract, page iii.
Advisor(s)
Miller, Ann K.
Committee Member(s)
Tauritz, Daniel R.
McMillin, Bruce M.
Department(s)
Computer Science
Degree Name
M.S. in Computer Science
Publisher
Missouri University of Science and Technology
Publication Date
Spring 2010
Pagination
ix, 69 pages
Note about bibliography
Includes bibliographical references.
Rights
© 2010 Joshua Michael Eads, All rights reserved.
Document Type
Thesis - Open Access
File Type
text
Language
English
Subject Headings
Computer security -- Computer programsMalware (Computer software)Reverse engineering -- Computer programsVirtual computer systems
Thesis Number
T 9608
Print OCLC #
678585476
Electronic OCLC #
611152286
Recommended Citation
Eads, Joshua Michael, "EtherAnnotate: a transparent malware analysis tool for integrating dynamic and static examination" (2010). Masters Theses. 4762.
https://scholarsmine.mst.edu/masters_theses/4762