Lugh

Current online malware analysis systems (e.g., Joebox, Anubis, Norman Sandbox, CW Sandbox, Threat Expert) generate behavior data characterizing the malware being analyzed. The behavior data typically consists of calls to the operating system kernel and related subsystems, and API calls in user space. In some cases this data is insufficient to understand the workings of a malware sample and additional data - describing system behavior more deeply - needs to be available to the malware analyst. Examples of "deep data" are histories of file modifications, including the actual contents of the files being modified, histories of full memory traces, etc. Currently, such information is recovered manually using debuggers and similar tools.

The goal of the Lugh project is to develop a novel deep data capturing tool that overcomes the limitations of existing tools. Lugh is currently able to capture complete file modification and memory change histories, stack back traces, partial instruction traces and screenshots on Windows operating systems. The memory inspection features allow to track self-modifying code and eventually to unpack packed code by using a novel efficient memory analysis algorithm. In fact, first tests have shown that Lugh is able to unpack the code of all widely used and publicly available packers.

Lugh is implemented as a kernel driver in C++ and uses kernel mode detour hooking to capture system events. Compared to, e.g., emulator based analysis systems, it is thus relatively hard to detect and evade.

In this talk, we are going to give an indepth discussion of the features and some implementation aspects of Lugh.