Effective Malware Analysis Using Stealth Breakpoints

Fine-grained malware analysis requires various powerful analysis tools. Chief among them is a debugger that enables runtime binary analysis at the instruction level. One of the important services provided by a debugger is the ability to stop execution of code at arbitrary points during runtime, using breakpoints. Software breakpoints change the code being analyzed so that it can be interrupted during runtime. Most, if not all malware are very sensitive to code modification with self-modifying and/or self-checking capabilities, rendering the use of software breakpoints limited in their scope. Hardware breakpoints on the other hand, use a subset of the CPU registers and exception mechanisms to provide breakpoints that do not entail code modification. However, hardware breakpoints support limited breakpoint ability (typically only 2-4 locations) and are susceptible to various anti-debugging techniques employed by malware. This chapter describes a novel breakpoint technique (called stealth breakpoints) that provides unlimited number of breakpoints which are robust to detection and countering mechanisms. Further, stealth breakpoints retain all the features (code, data and I/O breakpoint abilities) of existing hardware and software breakpoint schemes and enables easy integration with existing debuggers.