Contributions to Proceedings:
M. Neugschwandtner, Ch. Platzer, P. Milani Comparetti, U. Bayer:
"dAnubis - Dynamic Device Driver Analysis Based on Virtual Machine Introspection";
in: "Seventh Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA)",
IEEE Computer Society,
In the escalating arms race between malicious code and secu-
rity tools designed to analyze it, detect it or mitigate its impact, malicious
code running inside the operating system kernel provides an extremely
powerful tool. Kernel-level code can introduce hard to detect backdoors,
provide stealth by hiding les, processes or other resources and in general
tamper with operating system code and data in arbitrary ways.
Under Windows, kernel-level malicious code typically takes the form of
a device driver. In this work, we present dAnubis, a system for the real-
time, dynamic analysis of maliciousWindows device drivers. dAnubis can
automatically provide a high-level, human-readable report of a driver's
behavior on the system. We applied our system to a dataset of over 400
malware samples. The results of this analysis shed some light on the
behavior of kernel-level malicious code that is in the wild today.
Electronic version of the publication:
Project Head Paolo Milani Comparetti:
Worldwide Observatory of Malicious Behaviors and Attack Threats
Created from the Publication Database of the Vienna University of Technology.