dirtbox, a highly scalable x86/Windows Emulator presented at REcon 2010

by Georg Wicherski,

URL : http://www.recon.cx/2010/slides/recon-dirtbox.pdf

Summary : dirtbox is an attempt to implement a highly scalable x86/Windows emulator that can be both used for simple malware detection and detailed behavior analysis reports. Instead of emulating every single x86 instruction in software, malware instructions are executed directly on the host CPU in a per basic block fashion. A disassembling run on each basic block ensures that no privileged or control flow subverting instructions are executed. The notion of virtual memory that is separated from the emulators memory is employed by special LDT segments and switching segment selectors before executing guest instructions.
The operating system is emulated at the syscall layer. While this layer is mostly undocumented and implementing it in an accurate fashion is a challenging task on its own, the fact that no register changes are leaked from Ring 0 thwarts a lot of detection techniques. For usage of the high-level APIs, corresponding libraries are directly mapped into the virtual memory as well. Detection mechanisms such as:
- Examination of the ecx register after a SEH protected API call
- Stolen bytes from an API library implementation
- Direct reads and writes from PEB or other static locations or libraries are supported automatically