.NET malware dynamic instrumentation for automated and manual analysis

Описание: This presentation by Hexiang Hu (Microsoft) was delivered during VB2014 in Seattle, WA, USA.

Microsoft .NET Framework-built applications compile into a Common Intermediate Language (CIL), formerly known as Microsoft Intermediate Language (MSIL). When executed, this intermediate language is run by either a virtual machine, or through just-in-time compilation (JIT) to compile into native code at runtime. This approach provides many advantages to developers, such as a single binary being able to execute on multiple platforms and CPU architectures, but has been proving a technical challenge for anti-malware software and researchers since many traditional analysis tools no longer apply.

Recently, we've been wrestling with more malware families that are developed using the .NET framework. These malware families are often using a variety of custom and commercial .NET packers that obfuscate and pack the code, resulting in code analysis for anti-malware researchers becoming more difficult.

To solve this problem, this presentation introduces a .NET malware research tool to assist in automated and researcher analysis of .NET malware. This tool performs dynamic instrumentation of .NET malware to analyse the functions that are called, as well as the corresponding CIL code to be compiled. This presentation will cover the following topics:

ICorProfilerCallback & ICorProfilerInfo interface introduction
Project architecture and infrastructure
Backdoor:MSIL/Bladabindi case study
Future of usage in machine-learning-based detection