Vienna University of Economics and Business
In the escalating arms race between malicious code and security tools designed to analyze it, detect it or mitigate its impact, malicious code running inside the operating system kernel provides an extremely powerful tool. Kernel-level code can introduce hard to detect backdoors, provide stealth by hiding les, processes or other resources and in general tamper with operating system code and data in arbitrary ways. Under Windows, kernel-level malicious code typically takes the form of a device driver. In this paper, the authors present dAnubis, a system for the real-time, dynamic analysis of malicious Windows device drivers. dAnubis can automatically provide a high-level, human-readable report of a driver's behavior on the system.