2010 | OriginalPaper | Chapter
dAnubis – Dynamic Device Driver Analysis Based on Virtual Machine Introspection
Authors : Matthias Neugschwandtner, Christian Platzer, Paolo Milani Comparetti, Ulrich Bayer
Published in: Detection of Intrusions and Malware, and Vulnerability Assessment
Publisher: Springer Berlin Heidelberg
Activate our intelligent search to find suitable subject content or patents.
Select sections of text to find matching patents with Artificial Intelligence. powered by
Select sections of text to find additional relevant content using AI-assisted search. powered by
In the escalating arms race between malicious code and security tools designed to analyze it, detect it or mitigate its impact, malicious code running inside the operating system kernel provides an extremely powerful tool. Kernel-level code can introduce hard to detect backdoors, provide stealth by hiding files, processes or other resources and in general tamper with operating system code and data in arbitrary ways.
Under Windows, kernel-level malicious code typically takes the form of a device driver. In this work, we present
d
Anubis, a system for the real-time, dynamic analysis of malicious Windows device drivers.
d
Anubis can automatically provide a high-level, human-readable report of a driver’s behavior on the system. We applied our system to a dataset of over 400 malware samples. The results of this analysis shed some light on the behavior of kernel-level malicious code that is in the wild today.