dAnubis - Dynamic Device Driver Analysis Based on Virtual Machine Introspection

Abstract

In the escalating arms race between malicious code and security tools designed to analyze it, detect it or mitigate its impact, malicious code running inside the operating system kernel provides an extremely powerful tool. Kernel-level code can introduce hard to detect backdoors, provide stealth by hiding files, processes or other resources and in general tamper with operating system code and data in arbitrary ways. Under Windows, kernel-level malicious code typically takes the form of a device driver. In this work, we present dAnubis, a system for the realtime, dynamic analysis of malicious Windows device drivers. dAnubis can automatically provide a high-level, human-readable report of a driver’s behavior on the system. We applied our system to a dataset of over 400 malware samples. The results of this analysis shed some light on the behavior of kernel-level malicious code that is in the wild today.

DOI: 10.1007/978-3-642-14215-4_3

Extracted Key Phrases

10 Figures and Tables

Cite this paper

@inproceedings{Neugschwandtner2010dAnubisD, title={dAnubis - Dynamic Device Driver Analysis Based on Virtual Machine Introspection}, author={Matthias Neugschwandtner and Christian Platzer and Paolo Milani Comparetti and Ulrich Bayer}, booktitle={DIMVA}, year={2010} }