Using Memory Management to Detect and Extract Illegitimate Code for Malware Analysis

Carsten Willems, Felix Freiling

Technical Report TR-2011-002, University of Mannheim, Department of Computer Science, May 2011


Exploits that successfully attack computers are mostly based on some form of shellcode, i.e., illegitimate code that is injected by the attacker to take control of the system. Detecting and extracting such code is the rst step to detailed analysis of malware containing illegiti- mate code. The amount and sophistication of modern malware calls for automated mechanisms that perform such detection and extraction. In this paper we present a novel generic and fully automatic approach to detect the execution of illegitimate code and extract such code upon de- tection. The basic idea of the approach is to ag critical memory pages as non-executable and use a modi ed page fault handler to dump corre- sponding memory pages. We present an implementation of the approach for the Windows platform called CWXDetector. Evaluations using mali- cious PDF documents as example show that CWXDetector produces no false positives and has a similarly low false negative rate.

[MADOC Link]

tags: malware analysis, memory analysis