Tracing malware's steps with RE:Trace

DTrace: Easier application analysis
This dynamic tracing tool was introduced with the release of Sun Microsystems Inc.'s Solaris 10 operating system in 2005. This low-level debugging and monitoring framework allows detailed analysis of system resources used by applications. Among its many advances in kernel debugging, it greatly reduces the time needed for process activity and performance analysis. It has the unique ability to dynamically examine processes across the entire software stack -- from kernel mode through userland. DTrace provides comprehensive system-wide information, while allowing the user to receive customized details with granular control.

DTrace receives its shell script interface from the block-based D programming language. Its absence of loops and pointers augment system performance, making it safe for use on production systems. The shared library, libdtrace, provides DTrace with a portal from user to kernel mode. The inspection of kernel resource utilization is queried through probes. Defined in the D language script, kernel interrogation is precisely defined by the probes' quartet of structured syntax: provider, module, function and name.

RE:Trace: Engineering the tool
In order to create the RE:Trace platform, the data limitations of DTrace are overcome by its integration with the Ruby programming language. Furthermore, this object-oriented wrapper extends compatibility to other security applications, suc

To continue reading for free, register below or login

Requires Membership to View

To gain access to this and all member only content, please provide the following information (all fields required):

First Name:
Last Name:
Country: Select... Afghanistan Aland Islands Albania Algeria American Samoa Andorra Angola Anguilla Antarctica Antigua and Barbuda Argentina Armenia Aruba Australia Austria Azerbaijan Bahamas Bahrain Bangladesh Barbados Belarus Belgium Belize Benin Bermuda Bhutan Bolivia Bosnia and Herzegovina Botswana Bouvet Island Brazil British Indian Ocean Territory British Virgin Islands Brunei Bulgaria Burkina Faso Burundi Cambodia Cameroon Canada Cape Verde Cayman Islands Central African Republic Chad Chile China Christmas Island Cocos (Keeling) Islands Colombia Comoros Congo Congo, Democratic Republic of Cook Islands Costa Rica Cote D'Ivoire Croatia Cuba Cyprus Czech Republic Denmark Djibouti Dominica Dominican Republic Ecuador Egypt El Salvador Equatorial Guinea Eritrea Estonia Ethiopia Falkland Islands Faroe Islands Fiji Finland France French Guiana French Polynesia French Southern Territories Gabon Gambia, The Georgia Germany Ghana Gibraltar Greece Greenland Grenada Guadeloupe Guam Guatemala Guernsey Guinea Guinea-Bissau Guyana Haiti Heard and McDonald Islands Honduras Hong Kong Hungary Iceland India Indonesia Iran Iraq Ireland Israel Italy Jamaica Japan Jersey Jordan Kazakhstan Kenya Kiribati Korea, North Korea, South Kuwait Kyrgyzstan Laos Latvia Lebanon Lesotho Liberia Libya Liechtenstein Lithuania Luxembourg Macau Macedonia Madagascar Malawi Malaysia Maldives Mali Malta Man, Isle of Marshall Islands Martinique Mauritania Mauritius Mayotte Mexico Micronesia Moldova Monaco Mongolia Montserrat Morocco Mozambique Myanmar Namibia Nauru Nepal Netherlands Netherlands Antilles New Caledonia New Zealand Nicaragua Niger Nigeria Niue Norfolk Island Northern Mariana Islands Norway Oman Pakistan Palau Palestine Panama Panama Canal Zone Papua New Guinea Paraguay Peru Philippines Pitcairn Poland Portugal Puerto Rico Qatar Reunion Romania Russia Rwanda Saint Helena Saint Kitts and Nevis Saint Lucia Saint Pierre and Miquelon Saint Vincent and the Grenadines Samoa San Marino Sao Tome and Principe Saudi Arabia Senegal Serbia and Montenegro Seychelles Sierra Leone Singapore Slovakia Slovenia Solomon Islands Somalia South Africa South Georgia and South Sandwich Islands Spain Sri Lanka Sudan Suriname Svalbard Swaziland Sweden Switzerland Syria Taiwan Tajikistan Tanzania Thailand Timor-Leste Togo Tokelau Tonga Trinidad and Tobago Tunisia Turkey Turkmenistan Turks and Caicos Islands Tuvalu U.S. Minor Outlying Islands Uganda Ukraine United Arab Emirates United Kingdom United States Uruguay Uzbekistan Vanuatu Vatican City Venezuela Vietnam Virgin Islands Wallis and Futuna Islands Western Sahara Yemen Zambia Zimbabwe
Email Address:

I would like to receive a FREE subscription to Information Security magazine online.
YesNo

Do you manage, evaluate, recommend, implement, support or purchase security products, software or services?
YesNo

Please estimate the yearly security budget for your entire organization including all security products and services.
Please select... Over $10 Million $5 Million-$10 Million $1 Million-$4.9 Million $500,000-$999,999 $100,000-$499,999 $50,000-$99,999 $25,000-$49,999 $10,000-$24,999 Less than $10,000 None

What is your role in purchasing IT related products and services? (Check all that apply)
Technical decision maker
Financial decision maker
Recommend/Specify
Evaluate products
Implement Products/Services
Determine Needs
Create Security Strategy
None

By joining SearchSecurity.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.

TechTarget cares about your privacy. Read our Privacy Policy

The combination of DTrace and Ruby provides the starting point for reverse engineering. Although, RE:Trace utilizes this pair functionally, its real strength lies in its prepackaging of reverse engineering tasks and processes. The detection and instruction pinpointing of stack-based buffer overflows, heap overflow monitoring and block-level tracing with code coverage visualization are bundled into the RE:Trace framework. The incorporation of these features, in addition to others, has created this unique and powerful reverse engineering framework.

RE:Trace: How to use it
Reverse engineering malware is an important aspect of security research, which studies the behavior of malicious code using several disk, network, registry and process monitoring tools. RE:Trace provides an effective combination of debugging and disassembly for reverse engineering malicious executables. Its ability to control code execution while simultaneously performing process inspection make it an excellent tool for dynamic analysis.

Modern malware employs a number of mechanisms to thwart its discovery and deconstruction. Common malware tactics include embedding encrypted strings that are decrypted at the stack, and sending kill commands to antivirus and system-protection processes. Furthermore, numerous platform specific anti-debugging methods have been in use for long time.

However, RE:Trace can evade many of these measures through the strategic placement of probes. Using improved EIP register monitoring, instructions responsible for stack overflows can be precisely identified. As dynamically allocated memory has become a greater attack vector, the need for heap monitoring has become important. Addressing this growing threat, RE:Trace not only monitors dynamic allocation functions, but is also able to hook functions aimed at heap overflows.

Summary
The potential of RE:Trace has yet to be realized. Its versatility allows the creation of rootkits and malware, as well as their disassembly and analysis. Hopefully it will continue to be used as a system analysis tool for developers and administrators. However, since resources are almost always misused for malicious intent, its application in security may prove to be its greatest value.

About the author:
Noah Schiffman is a reformed former black-hat hacker who has spent nearly a quarter century penetrating the defenses of Fortune 500 companies. Today he works as an independent IT security consultant specializing in risk assessment, pen testing, cryptography and digital forensics, predictive analysis models, security metrics and corporate security policy. He holds degrees in psychology and mechanical engineering, as well as a doctorate in medicine from the Medical University of South Carolina. Schiffman is based in Charleston, S.C.