Automated, Generic System Call Hooking, and Interpretation presented at BSidesLuxembourg 2018

by Markus Partheymüller,

Summary : When doing malware analysis, monitoring application behavior plays an essential role. To do that, one of our most used mechanisms is system call monitoring. In contrast to approaches that e.g. put breakpoints into mapped libraries, we employ a VM monitor approach that catches the SYSCALL instruction itself. When interrupting processes on such instructions, what syscall did they actually attempt to use and what do the parameters mean, as it’s all encoded in CPU registers or the stack? In order to solve that problem in the most elegant way for our users, we needed a library of signatures of all syscalls along with the data structure types and formats they use. We automated the process of harvesting system calls and data structure definitions from multiple public open-source sources and preprocessing them to produce a single data source in machine-readable form. We present the results that we keep OSS to share with the community, and demonstrate how this improves the analyst workflow.