Keynote SSTIC 2009 – Dynamic analysis from kernel space with Kolumbo

Presentation : Julien DESFOSSEZ

Main objective : to be able to analyze malware, or any program, while avoiding anti-debugger protections.

The usual protections (ptrace, breakpoints) are easily detectable.

The tool operates in kernel space, according to different modes:

Trace mode:
Display of system calls, registers (parameters), page table.
Each 0x80 interruption is intercepted; by modifying the handler in the idt, the information is processed and forwarded to its legitimate processing.

Dump mode:
The tool will reconstruct the ELF directly from memory, by reconstructing it from the separated segments (this is not NOT a copy of the file).
Moreover, the ELF format is not valid, This is not a problem, since the information necessary for its execution is present.
The tool does not yet work with packers.

Anti-fingerprint mode:
Purpose: to use current debuggers. By modifying the return code of ptrace (as with trace mode, we handle the system call), we can prevent it from returning an error, and therefore from being detected.

Upcoming improvements: more advanced management of detections, packers, etc…
To be continued.