HookTracer: A System for Automated and Accessible API Hooks Analysis

Abstract The use of memory forensics is becoming commonplace in digital investigation and incident response, as it provides critically important capabilities for detecting sophisticated malware attacks, including memory-only malware components. In this paper, we concentrate on improving analysis of API hooks, a technique commonly employed by malware to hijack the execution flow of legitimate functions. These hooks allow the malware to gain control at critical times and to exercise complete control over function arguments and return values. Existing techniques for detecting hooks, such the Volatility plugin apihooks, do a credible job, but generate numerous false positives related to non-malicious use of API hooking. Furthermore, deeper analysis to determine the nature of hooks detected by apihooks typically requires substantial skill in reverse engineering and an extensive knowledge of operating systems internals. In this paper, we present a new, highly configurable tool called hooktracer, which eliminates false positives, provides valuable insight into the operation of detected hooks, and generates portable signatures called hook traces, which can be used to rapidly investigate large numbers of machines for signs of malware infection.

[1]  David H. Ackley,et al.  Randomized instruction set emulation to disrupt binary code injection attacks , 2003, CCS '03.

[2]  Min Gyung Kang,et al.  Emulating emulation-resistant malware , 2009, VMSec '09.

[3]  Heng Yin TEMU: Binary Code Analysis via Whole-System Layered Annotative Execution , 2010 .

[4]  Matt Pietrek,et al.  Peering Inside the PE: A Tour of the Win32 Portable Executable File Format , 1994 .

[5]  Herbert Bos,et al.  Argos: an emulator for fingerprinting zero-day attacks for advertised honeypots with automatic signature generation , 2006, EuroSys.

[6]  Zhenkai Liang,et al.  HookFinder: Identifying and Understanding Malware Hooking Behaviors , 2008, NDSS.

[7]  Gabriel Negreira Barbosa,et al.  Scientific but Not Academical Overview of Malware Anti-Debugging , Anti-Disassembly and Anti-VM Technologies , 2012 .

[8]  Fabrice Bellard,et al.  QEMU, a Fast and Portable Dynamic Translator , 2005, USENIX ATC, FREENIX Track.

[9]  Kevin P. Lawton Bochs: A Portable PC Emulator for Unix/X , 1996 .

[10]  Aaron Walters,et al.  The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory , 2014 .

[11]  Christopher Kruegel Lastline Full System Emulation: Achieving Successful Automated Dynamic Analysis of Evasive Malware , 2014 .

[12]  Cynthia E. Irvine,et al.  Security Checkers: Detecting processor malicious inclusions at runtime , 2011, 2011 IEEE International Symposium on Hardware-Oriented Security and Trust.

[13]  Davide Balzarotti,et al.  ROPMEMU: A Framework for the Analysis of Complex Code-Reuse Attacks , 2016, AsiaCCS.

[14]  William Kimball Emulation-based Software Protection , 2009 .

[15]  Golden G. Richard,et al.  Detecting objective-C malware through memory forensics , 2016 .