Using debuggers is a common mean for identifying and analyzing malware (such as viruses, worms, spyware, rootkits, etc.). However, debuggers can be detected by malware via observing of the behavior of operating system, changes in code (such as breakpoint instructions) and non-standard behavior of the CPU, making the analysis of the malware can be hard and tedious. In this thesis we are implementing a basic debugger based on the QEMU emulator that hides its presence from the debugged application. This is accomplished by using the QEMU as virtual machine and adding context awareness to the already existing primitive debugger. The context awareness is implemented using an embedded Python scripting engine. Such setup gives us a flexible way of implementing support for various operating systems. In this thesis, we have developed two examples. One example is for the RTEMS operating system, which serves as easy to understand reference implementation. Second example is for the Linux operating system, to show the abilities of the undetectable debugger in a more real scenario.
Identifer | oai:union.ndltd.org:nusl.cz/oai:invenio.nusl.cz:305165 |
Date | January 2012 |
Creators | Demín, Michal |
Contributors | Děcký, Martin, Marek, Lukáš |
Source Sets | Czech ETDs |
Language | English |
Detected Language | English |
Type | info:eu-repo/semantics/masterThesis |
Rights | info:eu-repo/semantics/restrictedAccess |
Page generated in 0.0016 seconds