Peeking into Pandora's Bochs - instrumenting a full system emulator to analyse malicious software

No ratings

Presented at HackLu 2009 by

Lutz Bhne

Today, malicious software (malware) poses a major threat to computer systems. Oftentimes, malware is runtime-packed (or -encrypted) to evade signature-based malware detectors and to make the actual malicious code inaccessible to static analysis methods. It is also common for the runtime unpacking (or decryptor) stubs to employ anti-debugging techniques to prevent dynamic analysis and manual unpacking by human analysts. Pandora's Bochs was originally developed as a tool to unpack runtime-packed binaries. The open source PC emulator Bochs's instrumentation facilities were extended with a Python interface and a set of Python routines was created to monitor an unmodified Windows XP guest system. It can identify and instrument individual processes, trace memory writes and branches, and dump process memory when a modified memory region is executed. This method works well against common runtime-packers. As Pandora's Bochs does not rely on debugging facilities provided by the guest system, it is largely unaffected by common anti-debugging techniques. Since its inception as an automated unpacker, Pandora's Bochs was extended to also monitor calls to the Windows API and their arguments. The presentation will focus on the technical aspects of Pandora's Bochs. It will give a brief overview of typical runtime packer or executable protector behaviour, about Bochs's instrumentation facilities and the Python interface that was created. It will detail the techniques used to obtain information about guest operating system and process states, how processes are monitored and unpacked, and how API call tracing is implemented. Like Bochs, Pandora's Bochs is open source software.