Description
In the context of program analysis the techniques of dynamic analysis and taint
analysis have gained widespread use. Many research efforts in this area use one
or both of these techniques, in order to analyze binary programs. In many cases,
the analyzed software is untrusted or malware samples are analyzed. Many of
these malware samples target the Windows operating system.
In this context strong isolation and non-detectability are important properties
of an analysis framework. Isolation in order to avoid attacks by the analyzed
program and non-detectability to be able to analyze split-personality malware
reliably.
Virtualization provides both of these properties. Thus, it is beneficial to
combine the aforementioned techniques with virtualization, like PANDA does.
However, currently no framework exists that targets the most current version of
Windows, Windows 10.
Therefore, this thesis analyzes chances and difficulties of virtual machine
introspection based, interactive, in-vivo dynamic taint analysis on Windows 10.
Also an implementation of the techniques analyzed in this thesis has been done.
|
