HALF: Hollowing Analysis Framework for Binary Programs with Kernel Module Assistance

TL;DR

HALF is a kernel-assisted framework for binary program analysis that achieves high fidelity and performance by eliminating address-space conflicts and supporting complex threat analysis.

Contribution

It introduces a novel kernel-assisted process hollowing approach to improve analysis fidelity and performance in binary program analysis.

Findings

HALF outperforms traditional in-process analysis tools in performance.

HALF maintains execution integrity in complex threat scenarios.

The framework effectively eliminates address-space conflicts.

Abstract

Binary program analysis represents a fundamental pillar of modern system security. Fine-grained methodologies like dynamic taint analysis still suffer from deployment complexity and performance overhead despite significant progress. Traditional in-process analysis tools trigger severe \textbf{address-space conflicts} that inevitably disrupt the native memory layout of the target. These conflicts frequently cause layout-sensitive exploits and evasive malware to deviate from their intended execution paths or fail entirely. This paper introduces \textbf{HALF} as a novel framework that resolves this fundamental tension while ensuring both analysis fidelity and practical performance. HALF achieves high-fidelity address-space transparency by leveraging a kernel-assisted process hollowing mechanism. This design effectively eliminates the observation artifacts that characterize traditional instrumentation tools. We further mitigate the synchronization latency of decoupled execution by implementing an exception-driven strategy via a lightweight kernel monitor. Extensive evaluation of a Windows-based prototype demonstrates that HALF maintains superior performance compared to conventional in-process baselines. HALF also provides unique capabilities for deconstructing complex, stealthy threats where existing frameworks fail to maintain execution integrity.