Dynamic Instruction Sequences Dynamic Instruction Sequences Monitor for Virus DetectionMonitor for Virus Detection

Jianyong Dai, Ratan Guha, Joohan LeeJianyong Dai, Ratan Guha, Joohan Lee

Wednesday, January 28, 2009Wednesday, January 28, 2009

Cho, Ho-GiCho, Ho-Gi

AbstractAbstract

• Dynamic instruction sequences monitor– refers to a special program which has the ability to launch a program and

capture the runtime instruction sequence of that program

• Problem– none of them are specially designed to launch a potentially malicious program

• Solution– intercept certain Win32 API and divert it to a safe version of that API– provide virus detection plug-in mechanism

23年 4月 20日 [WePu07] 2

Dynamic instruction sequence Dynamic instruction sequence monitormonitor

23年 4月 20日 [WePu07] 3

DebuggerDebugger

AnalyzingAnalyzing MonitorMonitor

mainmain

TargetTarget

LaunchLaunch

SystemSystem

Malicious code or program

InfectInfectInfectInfect

• Solution– built a dynamic instruction sequences monitor with a protection

mechanism• intercept potentially destructive Win32 API and divert it to a safe version

of that API• provide some mechanism to keep the original execution path as much as

possible

– plug-in mechanism• programmer can build different applications based on the dynamic

instruction sequences captured by the monitor

23年 4月 20日 [WePu07] 4

System ArchitectureSystem Architecture

• Overview

23年 4月 20日 [WePu07] 5

MonitorMonitor

mainmain

TargetTarget

LaunchLaunch

…ReadFile(..)CreateFile(..)CheckFile(..)WriteFile(..) …

Malicious code or program

InterpositionInterposition

Binary sequences

Classification

Models

CreateFile(..)CheckFile(..)WriteFile(..)

Classification

Models

CreateFile(..)CheckFile(..)WriteFile(..)

Compare andDecision

23年 4月 20日 [WePu07] 6

Program DebuggerProgram Debugger

InsulatorInsulator

Unknown ExecutableUnknown Executable

DisassemblerDisassembler

Instruction processing Plug-in

Instruction processing Plug-in

System Architecture for monitor

InstructionSequences

Logic assemblyconstruction

Logic assemblyconstruction

Abstract assembly

construction

Abstract assembly

construction

ClassificationClassification

Decision

Decision

Model ManagerModel Manager

Classification

Models

Classification

Models

Structure of virus detection plug-in

• Insulator– prevent certain Win32 API from executing– supply API with dummy output without actually invoking– use Microsoft Detour package

23年 4月 20日 [WePu07] 7

ReturnReturnFile and directory manipulation APIRegistry manipulation APIRemote memory manipulationRemote thread creationAdministration related APISocket creation, packet sending

ConclusionConclusion

• describe a dynamic instruction sequences monitor and a virus detection plug-in based the monitor– efficient and protect user computer in general case

• Problem– invoke the underlying ntdll.dll or interrupt 2E directly, which is not

protected

23年 4月 20日 [WePu07] 8