Skip to main content
SpringerLink
Log in

Stealth malware analysis from kernel space with Kolumbo

  • Original Paper
  • Published:
Journal in Computer Virology Aims and scope Submit manuscript

Abstract

Most of today’s malware are able to detect traditional debuggers and change their behavior whenever somebody tries to analyze them. The analysis of such malware becomes then a much more complex task. In this paper, we present the functionalities provided by the Kolumbo kernel module that can help simplify the analysis of malware. Four functionalities are provided for the analyst: system calls monitoring, virtual memory contents dumping, pseudo-breakpoints insertion and eluding anti-debugging protections based on ptrace. The module as been designed to minimize its impact on the system and to be as undetectable as possible. However, it has not been conceived to analyze programs with kernel access.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Desnos, I.A., Filiol, E.: Detection of an hvm rootkit (aka bluepill-like). J. Comput. Virol. http://www.springerlink.com/content/k7717483424n1h41/. Also available at http://www.esiea-recherche.eu/desnos/papers/hyp.pdf. September (2009)

  2. Droids Corporation. RR0D. http://rr0d.droids-corp.org/

  3. Desnos, A., Roy, S., Vanegue, J.: Eresi : une plate-forme d’analyse binaire au niveau noyau. In: SSTIC08, Rennes, France. http://www.sstic.org/SSTIC08/programme.do. Also available at http://www.eresi-project.org/wiki/EresiArticles. June (2008)

  4. Desnoyers, M., Dagenais, M.R.: Filling the gap between kernel instrumentation and a widely usable kernel tracer. In: Linux Foundation Collaboration Summit 2009, San Francisco, USA. http://events.linuxfoundation.org/archive/lfcs09_desnoyers_paper.pdf. April (2009)

  5. Eigler, F.Ch:. Systemtap tutorial. http://sourceware.org/systemtap/documentation.html/

  6. eNYe Sec eNYeLKM v1.1. http://www.enye-sec.org/en/

  7. Gabes, J., Jamtel, É.L., Alberdi, I.: Uberlogger: un observatoire niveau noyau pour la lutte informative défensive. In: SSTIC05, Rennes, France. http://actes.sstic.org/SSTIC05/UbberLogger/. June (2005)

  8. McGrath, R.: utrace: a new in-kernel api for debugging and tracing user tasks. http://people.redhat.com/roland/utrace/

  9. Raber, J.: Helikaon linux debugger. In: RECON08, Montreal, Canada. http://recon.cx/2008/index.html. June (2008)

Download references

Author information

Authors and Affiliations

  1. Revolution Linux, Sherbrooke, QC, Canada

    Julien Desfossez

  2. Département d’informatique, Faculté des Sciences, Université de Sherbrooke, Sherbrooke, QC, Canada

    Justine Dieppedale & Gabriel Girard

Authors
  1. Julien Desfossez
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Justine Dieppedale
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Gabriel Girard
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Julien Desfossez.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Desfossez, J., Dieppedale, J. & Girard, G. Stealth malware analysis from kernel space with Kolumbo. J Comput Virol 7, 83–93 (2011). https://doi.org/10.1007/s11416-009-0139-z

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11416-009-0139-z

Keywords

Search

Navigation