QTrace is a “zero knowledge” system call tracer, based on QEMU. Its main characteristic is that system call arguments are dumped without the need to instruct the tracer about their structure. As an example, QTrace can be used to easily dump
win32k.sys graphical system calls (as well as undocumented ones) despite the intricacies in their arguments (and the lack of official documentation).
Additionally, QTrace includes a dynamic taint-tracking module, used to (dynamically) track dependencies between system calls (e.g., one of the output arguments of system call A is eventually used as an input argument for system call B). Traced system calls are serialized to a Protocol Buffer stream and can then be parsed off-line. QTrace includes some basic Python post-processing tools. The whole infrastructure is mainly targeted to Windows systems, but can be extended to support other OSes as well.
ProcessTap is a dynamic tracing framework for analyzing closed source-applications. ProcessTap is inspired by DTrace and SystemTap, but it is specific for analyzing closed-source user-space applications. ProcessTap leverages dynamic binary instrumentation to intercept the events of interest (e.g., function calls, system call, memory accesses, and conditional control transfers). Although the current implementation relies on PinTool, alternative back-ends for instrumentation (e.g., Valgrind, Qemu, or DynamoRIO) can be used. The language used in ProcessTap for writing scripts to instrument applications is Python.
HyperDbg is a kernel debugger that leverages hardware-assisted virtualization. More precisely, HyperDbg is based on a minimalistic hypervisor that is installed while the system runs. Compared to traditional kernel debuggers (e.g., WinDbg, SoftIce, Rasta R0 Debugger) HyperDbg is completely transparent to the kernel and can be used to debug kernel code without the need of serial (or USB) cables.
KEmuFuzzer is protocol-specific fuzzer for system virtual machines. KEmuFuzzer generates floppy images to boot a virtual machine and to execute a specific test-case. The same test-case is executed also in an oracle, based on hardware-assisted virtualization. The states obtained are compared to detect defects in the virtual machine. Test-cases are generated using a special compiler that applies certain mutations before compiling.
EmuFuzzer is a fuzzer for CPU emulators. EmuFuzzer “stresses” a CPU emulator with specially crafted test-cases, representing registers and memory configurations, to verify whether the CPU is properly emulated or not. EmuFuzzer detects improper behaviours of the emulator by running the same test-case concurrently on the emulated and on the physical CPUs and by comparing the state of the two after the execution. Differences in the state testify defects in the code of the emulator.
We also used EmuFuzzer to discover red-pills: programs or procedures capable of identifying if they are executed on a physical CPU or on an emulated CPU. Such red-pills can be used in malicious programs to impede dynamic analysis attempts. For more details see the paper A fistful of red-pills: How to automatically generate procedures to detect CPU emulators and the web page devoted to the project.
WUSSTrace is a user-space syscall tracer for Microsoft Windows developed for fine grained syscall tracing: it supports the majority of Windows system calls (except GUI system calls), the majority of argument types, and dumps faithfully all the supported types. WUSSTrace produces easy-to-parse XML traces leveraging the Boost serialization library. Tracing is performed by injecting a shared library in the address space of the traced process and by hooking the stubs
WUSSTrace is developed with Lorenzo Martignoni
FluXOR is a system to detect and monitor fast-flux service networks. Its monitoring and detection strategies entirely rely on the analysis of a set of features observable from the point of view of a victim of the scams perpetrated by the botnets.
FluXOR is presented into more detail in the paper FluXOR: detecting and monitoring fast-flux service networks.
PyEA is a hybrid static/dynamic code analyser written in Python. The analyser was originally developed to statically analyse IA-32 malicious programs, but has soon evolved into a generic analyser for compiled programs. PyEA currently supports PE and ELF executables, disassembles executables using a recursive disassembler, and translates each machine instruction into an intermediate form, that makes side effects explicit. The analyses work directly on the intermediate representation and include graph dominance analysis, static and dynamic data- and control-dependency analyses, liveness and reachability, and loop analysis.
PyEA contains a process execution tracer for GNU/Linux based on
ptrace() and interfaces with the STP constraint solver (using the PySTP extension module). Support for hybrid analysis of PHP bytecode has also been introduced into this framework.
PyEA is developed with Lorenzo Martignoni