Abstract
Most of today’s malware are able to detect traditional debuggers and change their behavior whenever somebody tries to analyze them. The analysis of such malware becomes then a much more complex task. In this paper, we present the functionalities provided by the Kolumbo kernel module that can help simplify the analysis of malware. Four functionalities are provided for the analyst: system calls monitoring, virtual memory contents dumping, pseudo-breakpoints insertion and eluding anti-debugging protections based on ptrace. The module as been designed to minimize its impact on the system and to be as undetectable as possible. However, it has not been conceived to analyze programs with kernel access.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Desnos, I.A., Filiol, E.: Detection of an hvm rootkit (aka bluepill-like). J. Comput. Virol. http://www.springerlink.com/content/k7717483424n1h41/. Also available at http://www.esiea-recherche.eu/desnos/papers/hyp.pdf. September (2009)
Droids Corporation. RR0D. http://rr0d.droids-corp.org/
Desnos, A., Roy, S., Vanegue, J.: Eresi : une plate-forme d’analyse binaire au niveau noyau. In: SSTIC08, Rennes, France. http://www.sstic.org/SSTIC08/programme.do. Also available at http://www.eresi-project.org/wiki/EresiArticles. June (2008)
Desnoyers, M., Dagenais, M.R.: Filling the gap between kernel instrumentation and a widely usable kernel tracer. In: Linux Foundation Collaboration Summit 2009, San Francisco, USA. http://events.linuxfoundation.org/archive/lfcs09_desnoyers_paper.pdf. April (2009)
Eigler, F.Ch:. Systemtap tutorial. http://sourceware.org/systemtap/documentation.html/
eNYe Sec eNYeLKM v1.1. http://www.enye-sec.org/en/
Gabes, J., Jamtel, É.L., Alberdi, I.: Uberlogger: un observatoire niveau noyau pour la lutte informative défensive. In: SSTIC05, Rennes, France. http://actes.sstic.org/SSTIC05/UbberLogger/. June (2005)
McGrath, R.: utrace: a new in-kernel api for debugging and tracing user tasks. http://people.redhat.com/roland/utrace/
Raber, J.: Helikaon linux debugger. In: RECON08, Montreal, Canada. http://recon.cx/2008/index.html. June (2008)
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Desfossez, J., Dieppedale, J. & Girard, G. Stealth malware analysis from kernel space with Kolumbo. J Comput Virol 7, 83–93 (2011). https://doi.org/10.1007/s11416-009-0139-z
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11416-009-0139-z