Implementation of virtual machine monitor-based stack trace mechanism on Windows 10 x64

Yuya Yamashita, Junjun Zheng, Shoichi Saito, Eiji Takimoto, Koichi Mouri

Research output: Contribution to journalConference article

Abstract

Along with the advent of 64-bit malware, an analysis of such malware is now required. We are developing Alkanet 10, which is a system call tracer using visualization technology for 64-bit malware analysis on Windows 10 x64. At present, we are attempting to implement a stack trace on Alkanet 10 in order to trace the code injection behaviors of the malware. However, realizing the stack trace is not easy because unlike x86, the calling convention on x64 does not use a frame pointer. We propose implementing the stack trace by using a VAD tree and .pdata section in a PE file.

Original languageEnglish
Pages (from-to)100-105
Number of pages6
JournalLecture Notes in Engineering and Computer Science
Volume2239
Publication statusPublished - Jan 1 2019
Event2019 International MultiConference of Engineers and Computer Scientists, IMECS 2019 - Kowloon, Hong Kong
Duration: Mar 13 2019Mar 15 2019

Fingerprint

Visualization
Virtual machine
Malware

All Science Journal Classification (ASJC) codes

  • Computer Science (miscellaneous)

Cite this

Implementation of virtual machine monitor-based stack trace mechanism on Windows 10 x64. / Yamashita, Yuya; Zheng, Junjun; Saito, Shoichi; Takimoto, Eiji; Mouri, Koichi.

In: Lecture Notes in Engineering and Computer Science, Vol. 2239, 01.01.2019, p. 100-105.

Research output: Contribution to journalConference article

Yamashita, Yuya ; Zheng, Junjun ; Saito, Shoichi ; Takimoto, Eiji ; Mouri, Koichi. / Implementation of virtual machine monitor-based stack trace mechanism on Windows 10 x64. In: Lecture Notes in Engineering and Computer Science. 2019 ; Vol. 2239. pp. 100-105.
@article{355e9d710038498d8b290900c45bc223,
title = "Implementation of virtual machine monitor-based stack trace mechanism on Windows 10 x64",
abstract = "Along with the advent of 64-bit malware, an analysis of such malware is now required. We are developing Alkanet 10, which is a system call tracer using visualization technology for 64-bit malware analysis on Windows 10 x64. At present, we are attempting to implement a stack trace on Alkanet 10 in order to trace the code injection behaviors of the malware. However, realizing the stack trace is not easy because unlike x86, the calling convention on x64 does not use a frame pointer. We propose implementing the stack trace by using a VAD tree and .pdata section in a PE file.",
author = "Yuya Yamashita and Junjun Zheng and Shoichi Saito and Eiji Takimoto and Koichi Mouri",
year = "2019",
month = "1",
day = "1",
language = "English",
volume = "2239",
pages = "100--105",
journal = "Lecture Notes in Engineering and Computer Science",
issn = "2078-0958",

}

TY - JOUR

T1 - Implementation of virtual machine monitor-based stack trace mechanism on Windows 10 x64

AU - Yamashita, Yuya

AU - Zheng, Junjun

AU - Saito, Shoichi

AU - Takimoto, Eiji

AU - Mouri, Koichi

PY - 2019/1/1

Y1 - 2019/1/1

N2 - Along with the advent of 64-bit malware, an analysis of such malware is now required. We are developing Alkanet 10, which is a system call tracer using visualization technology for 64-bit malware analysis on Windows 10 x64. At present, we are attempting to implement a stack trace on Alkanet 10 in order to trace the code injection behaviors of the malware. However, realizing the stack trace is not easy because unlike x86, the calling convention on x64 does not use a frame pointer. We propose implementing the stack trace by using a VAD tree and .pdata section in a PE file.

AB - Along with the advent of 64-bit malware, an analysis of such malware is now required. We are developing Alkanet 10, which is a system call tracer using visualization technology for 64-bit malware analysis on Windows 10 x64. At present, we are attempting to implement a stack trace on Alkanet 10 in order to trace the code injection behaviors of the malware. However, realizing the stack trace is not easy because unlike x86, the calling convention on x64 does not use a frame pointer. We propose implementing the stack trace by using a VAD tree and .pdata section in a PE file.

UR - http://www.scopus.com/inward/record.url?scp=85065768908&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85065768908&partnerID=8YFLogxK

M3 - Conference article

AN - SCOPUS:85065768908

VL - 2239

SP - 100

EP - 105

JO - Lecture Notes in Engineering and Computer Science

JF - Lecture Notes in Engineering and Computer Science

SN - 2078-0958

ER -