Virtual Machine Introspection in Malware Analysis

This article will illustrate how Virtual Machine Introspection can be applied to malware analysis. It will be more focused on malware analysis on Windows architectures. All malwares analysis posted in our blog are done with the help of the dynamic analysis system based on Virtual Machine Introspection technology.

In general, the term introspection is the observation and the examination of one’s own mental and emotional state. It is considered as the act of looking within oneself. The good example to illustrate introspection is the door peephole that is used to observe the external world without being part. However, Virtual Machine Introspection is the art of introspecting the guest machines from the hypervisor and accessing to them without being inside or having an installed agent on the guests. All is done from the outside.

 

Why Vitual Machine Introspection?

One of the main to use VMI in malware analysis is that advanced malwares such as Rootkits are not detected using traditional automated malware analysis systems. The other reason is the advanced features that this technology provides to have a deep vision on each and every action happening on the guest operating system.

With VMI technology, it is no more needed to be part of the malware environment to analyze malwares because the whole analysis process will be done outside of the guest OS. That’s why applying VMI to malware analysis is way better than the traditional analysis technologies.

 

Virtual Machine Introspection architecture

In general, two types of hypervisors can be considered.

  • Bare Metal: also known as type-1 hypervisors, these are hypervisors that run directly on the host hardware in order to control it and manage the guest machines. Bare Metal hypervisors can be Xen…
  • Hosted: also known as type-2 hypervisors, these are hypervisors that run within an existing guest OS. To achieve this, many tools exist like the most used ones VirtualBox, VMware Player, Microsoft Hyper-V…

Here is a simplified implementation of the described hypervisor types below.

hypervisor types

The next figure illustrates how introspection works on a Bare Metal hypervisor. Introspection tools installed on the hypervisor allow to monitor everything happening on the guest OS (system/network activities, installed apps…).

SAFE introspection on bare metal hypervisor

 

Memory mapping

In general, there is two levels of memory; virtual memory and physical memory for a physical machine, and three levels when it comes to hypervisors (guest OS virtual memory, guest OS physical memory and host physical memory). Keep in mind that hypervisors give only to the guest OS memory size it asked for from host physical memory. Hypervisors by default don’t have any knowledge of what is happening inside the guest virtual memory. To do so, additional tools should be installed.

Below, a simplified example of how memory is shared with guest OS:

SAFE memory mapping on hypervisor

One of the goals of VMI tools is to perform address translation from guest virtual memory to guest physical memory, then from guest physical memory to host physical memory in order to help the hypervisor access the right memory addresses while doing introspection.

 

How Vitual Machine Introspection helps in malware analysis?

Today’s traditional malware analysis technologies are no more sufficient when it comes to detect the latest malware attacks. Thanks to stealthy hypervisors, malware monitoring can be moved to kernel level unlike the traditional systems. It offers as well many ways to deal with Windows security components when it comes to hook in a low level (e.g: PatchGuard). In addition to that, with the VMI technology we can now be sure to cover the analysis of all the types of malwares including Rootkits.

By using maliciously some Windows API, malwares can be flagged by their behaviors. So, in order to detect malwares we can set the monitoring on API use. Below an example on how to monitor Windows API from the hypervisor:

SAFE hypervisor memory breakpoint

During the VMI initialization, some memory breakpoints are set from the hypervisor on the monitored API. Each time the breakpoint is trapped, function arguments containing interesting information are caught. Thanks to the API and its arguments, we are able to get the behavior of the malware.

 

We use VMI technology to detect malwares

SAFE Endpoint Security uses Virtual Machine Introspection technology as one of its malware analysis components. It allows to deeply analyze programs and determine based on their behaviors whether they are benign or malicious.

Below a malware analysis report based on behaviors detected using SAFE VMI technology:

SAFE Dynamic analysis result with virtual machine introspection