The Reversing Machine: Reconstructing Memory Assumptions

TL;DR

The paper introduces The Reversing Machine (TRM), a hypervisor-based memory analysis tool that enhances reverse engineering and detection of evasive malware, including rootkits, by reconstructing memory structures and detecting mode transitions.

Contribution

TRM provides a novel hypervisor-based approach with techniques like hooking suspended processes and Mode-Based Execution Control to improve malware analysis and detection capabilities.

Findings

TRM speeds up reverse engineering by 75% on average.

Successfully obfuscated malware was detected using TRM.

TRM outperforms 24 state-of-the-art antivirus solutions in detecting advanced threats.

Abstract

Existing anti-malware software and reverse engineering toolkits struggle with stealthy sub-OS rootkits due to limitations of run-time kernel-level monitoring. A malicious kernel-level driver can bypass OS-level anti-virus mechanisms easily. Although static analysis of such malware is possible, obfuscation and packing techniques complicate offline analysis. Moreover, current dynamic analyzers suffer from virtualization performance overhead and create detectable traces that allow modern malware to evade them. To address these issues, we present \textit{The Reversing Machine} (TRM), a new hypervisor-based memory introspection design for reverse engineering, reconstructing memory offsets, and fingerprinting evasive and obfuscated user-level and kernel-level malware. TRM proposes two novel techniques that enable efficient and transparent analysis of evasive malware: hooking a binary using suspended process creation for hypervisor-based memory introspection, and leveraging Mode-Based Execution Control (MBEC) to detect user/kernel mode transitions and memory access patterns. Unlike existing malware detection environments, TRM can extract full memory traces in user and kernel spaces and hook the entire target memory map to reconstruct arrays, structures within the operating system, and possible rootkits. We perform TRM-assisted reverse engineering of kernel-level structures and show that it can speed up manual reverse engineering by 75\% on average. We obfuscate known malware with the latest packing tools and successfully perform similarity detection. Furthermore, we demonstrate a real-world attack by deploying a modified rootkit onto a driver that bypasses state-of-the-art security auditing tools. We show that TRM can detect each threat and that, out of 24 state-of-the-art AV solutions, only TRM can detect the most advanced threats.