Stealthy Profiling and Debugging of Malware Trampolining from User to Kernel Space

Abstract

A reverse engineer trying to understand protected malware binaries is faced with avoiding detection by antidebugging protections. Advanced protection systems may even load specialized drivers that can re-flash firmware and change the privileges of running applications, significantly increasing the penalty of detection. Hades is a Windows kernel driver designed to aid reverse engineering endeavors. It avoids detection by employing intelligent instrumentation via instruction rerouting in both user and kernel space. This technique allows a reverse engineer to easily debug and profile binaries without fear of invoking protection penalties.