Malware/fiw
From CSRRT-LU
| Table of contents |
FIW a high level debugger
A trend in the malware analysis area is the dynamic analysis. This can be explained due to the fact that malware authors often use obfuscation techniques to protect their binaries. Furthermore anti reverse engineering techniques increase the complexity of malware analysis. The major drawback of dynamic analysis is that conditions are not fulfilled during malware execution and the observations are not complete. This paper proposes a new high level w32 debugger, called Fiw, for unveiling the internals of a malware sample. The major advantage of this debugger is that it is more difficult for a malware to detect it than a plain debugger. The main idea is to use a custom w32 operating system with modified API and kernel functions. The custom w32 operating system sends internal information to the debugger and accepts commands from the debugger. The difference regarding traditional debuggers is that the machine instructions of a malware sample and the processor state is not modified. Thus the checks of a malware sample for detecting debuggers fail. The tool Fiw provides traditional debugging features like step by step execution, memory inspection and so on and some new features like doing environmental changes during execution in order to force a malware sample to choose a given execution direction. Based on the found malware internals, vulnerabilities of a malware sample can be easier found.
State
Date: 29 October 2007. The debugger fiw is heavily experimental and is currently not ready for production purpose. Use it at your own risk.
Presentation
- HACK.LU 2007 PDF (http://www.csrrt.org.lu/wiki/images/6/61/Hack-lu-ama.pdf) (480445 bytes)
Download source
An experimental version can be downloaded here (http://quuxlabs.com/~gerard/software/fiw/fiw-0.0.1.tar.bz2) (123144 bytes).
Documentation
The documentation is not finished yet. For obtaining a general overview or how it is working please read the slides from HACK.LU 2007.
Contact
haegardev ATA gmail DOT com (Please replace ATA with the character @ and dot with the character .)
