Capturing Malware Propagations with Code Injections and Code-Reuse Attacks

Defending against malware involves analysing large amounts of suspicious samples. To deal with such quantities we rely heavily on automatic approaches to determine whether a sample is malicious or not. Unfortunately, complete and precise automatic analysis of malware is far from an easy task. is is because malware is o en designed to contain several techniques and countermeasures speci cally to hinder analysis. One of these techniques is for the malware to propagate through the operating system so as to execute in the context of benign processes. e malware does this by writing memory to a given process and then proceeds to have this memory execute. In some cases these propagations are trivial to capture because they rely on well-known techniques. However, in the cases where malware deploys novel code injection techniques, rely on code-reuse a acks and potentially deploy dynamically generated code, the problem of capturing a complete and precise view of the malware execution is non-trivial. In this paper we present a uni ed approach to tracing malware propagations inside the host in the context of code injections and code-reuse a acks. We also present, to the knowledge of the authors, the rst approach to identifying dynamically generated code based on information-ow analysis. We implement our techniques in a system called Tartarus and match Tartarus with both synthetic applications and real-world malware. We compare Tartarus to previous works and show that our techniques substantially improve the precision for collecting malware execution traces, and that our approach can capture intrinsic characteristics of novel code injection techniques.