A Method for Malware Analysis by Virtual Machine Introspection Technique

Abstract

Malicious code has become one of the biggest threats in the field of computer security. Traditional malware monitoring tools are installed in the physical host, they trust in the integrity of the host, however, they are vulnerable to being infected by malware and delivering erroneous results about monitoring. In this paper, a method based on Virtual Machine Introspection technique is proposed to obtain the memory image of a Virtual Machine, from outside, with the help of the VirtualBox API, also analyze its internal content such as running processes, threads, network connections, and open files with the use of the Volatility Framework to interpret the low-level bytes into high-level information and finally, report this information in a monitoring register. This approach has been tested with the execution of 3 samples of malware inside a 32-bit Microsoft Windows XP SP3 Virtual Machine and the results obtained support the main hypothesis that if the Virtual Machine Introspection technique is applied to a Virtual Machine then it is possible to obtain the activities of a process and according to its behavior, identify malware.