VMI-based behaviour monitoring of malware

Project by student assistant Patrick Schmelzeisen. The goals was to extend our dynamic malware analysis sandbox (Sandnet) with capabilities to identify and hook dynamic libraries of user space malware via virtual machine introspection (VMI) techniques. In particular, we aimed at using the Drakvuf project for the Xen hypervisor to hook SSL/TLS libraries used by malware in order to monitor their unencrypted network traffic.

I have co-supervised the project together with Dr. Johannes Krupp, Michael Brengel, and Prof. Dr. Christian Rossow.