Osiris: A Malware Behavior Capturing System Implemented at Virtual Machine Monitor Layer

Abstract

Capturing behavior of malware is one of the essential prerequisites for dynamic malware analysis. In this paper, we study and design a system called Osiris, which makes use of virtual machine technique to capture malware behavior. In particularly, we monitor Windows API calls invoked by the process under analysis (or target program) to rebuild its behaviors. The monitor is implemented at the virtual machine manager layer rather than inside the Guest OS, which is an innovation compared to other available methods. Qemu, an open-source system emulator, is used as the emulator component of Osiris. By modifying Qemu's translation process, an API analysis framework is inserted to intercept API calls. Besides this, Osiris also collects security relevant OS kernel data directly from virtual memory for further analysis. Osiris has advantages over previous systems in that it requires no complex analysis environment and does not interfere the execution of target programs. It overcomes the deficiencies previous ones employed that the information collected is incomplete and imprecise. These features make Osiris an ideal tool for automatic malware analysis. It can provide fine data for behavior-based malware detection.