Stealth Breakpoints

Amit Vasudevan
University of Texas at Arlington
USA

Ramesh Yerraballi
University of Texas at Arlington
USA

Microscopic analysis of malicious code (malware) requires the aid of various powerful tools. Chief among them is a debugger that enables analysis at the binary level. One of the important services provided by a debugger is the ability to stop execution of code at an arbitrary point during runtime, using breakpoints. Software breakpoints change the code being debugged such that they can be interrupted during runtime. Most, if not all malware are very sensitive to code modification with self-checking and/or self-modifying capabilities, rendering the use of software breakpoints limited in their scope. Hardware breakpoints, supported by the underlying processor, on the other hand use a subset of the processor register set and exception mechanisms to provide breakpoints that do not entail code modification. This makes hardware breakpoints the most powerful breakpoint mechanism for malware analysis. But, given that the maximum number of hardware breakpoints supported by any processor is at most 4 words of memory, a serious restriction is imposed on the debugger to set desired number of breakpoints without resorting to the limited alternative of software breakpoints. Also, with the ever evolving nature of malware, there are techniques being employed that prevent the use of hardware breakpoints. This calls for a new breakpoint mechanism that retains the features of hardware breakpoints while providing virtually unlimited number of breakpoints, which cannot be detected or countered.

In this paper, we present the design and implementation of a breakpoint framework called “stealth breakpoints”, codenamed VAMPiRE. VAMPiRE cannot be detected or countered and provides unlimited number of breakpoints to be set on code, data, and i/o with the same precision as that of hardware breakpoints. The technique used by VAMPiRE is a subtle combination of simple stealth techniques employing virtual memory and hardware single-stepping mechanisms which are available on all processors old and new. This technique makes VAMPiRE portable to any architecture providing powerful hardware like breakpoint ability for malware analysis with or without native architecture support for hardware breakpoints.

Keywords: Stealth Breakpoints, Debugging, Malware Analysis

Read Paper Read Paper (in PDF)