Malware Behavior Analyzer
MBA is a QEMU-based, sandbox system dedicated to malware analysis.
Currently, MBA is mainly for the x86_64 architecture and Win10 x64 guest OS.
The following features are supported:
1. De-coupled Information Flow Tracking (DIFT) It is also known as taint analysis. Leveraging the DIFT feature, the contamination conducted by malware to the guest OS can be identified.
We would like to thank Chi-Wei, Wang, who developed the initial version of DIFT, for sharing his source code. The original DIFT is mainly for x86 platform. In this project, the DIFT is upgraded to support modern x86_64 platform.
For the academic paper published by Chi-Wei, Wang, please cite CW Wang and SP Shieh, "SWIFT: Decoupled System-Wide Information Flow Tracking and its Optimizations," Journal of Information Science and Engineering, JISE, 2015. http://www.iis.sinica.edu.tw/page/jise/2015/201507_15.pdf
Disk Forensics (Tsk) The tsk extension supports the translation between the disk sector address and the corresponding file in the Windows guest OS.
Memory Forensics (MemFrs) The memfrs extension performs the virtual machine introspection on the guest physical/virtual memory. The high-level semantics of the memory data (e.g. process list) can be interpreted without the assistence of the guest OS.
Windows in-VM Agent (Agent) The agent extension provides a convenient communication between the QEMU console and the guest OS. An agent program is needed to be pre-installed inside the Windows guest to support the operations such as ... > execute a command in the guest w/wo return output expected > import/export a file into/from the guest
Out-of-Box Hooking (OBHook) The obhook extension provides the VM-based hook against the guest OS. This features allows MBA to intercept the event-of-interest of the guest. Note that the obhook is purely implemented beneath the guest OS, namely the hypervisor (QEMU). Thereby, not a code snippets is required to be inserted to the guest, and thus prevent the interference of malware.
Network Traffic Monitor (NetTraMon) The nettramon extension performs monitoring the network traffic of the guest OS. This extension provides sniffing, parsing, and filtering packets, and supports protrocols of TCP, UDP and ICMP. User can also set files for storing parsed packets according to protocols.
Instruction Tracer (Tracer) The tracer extension supports the runtime instruction trace executed by a subject sample. This extension provides user-space/kernel-space tracing instruction tracing functionality
System Call Tracer (Systrace) The systrace extension provides the system call trace of a subject sample during its runtime phase.
Download MBA source
$ git clone https://github.com/GlacierW/MBA $ cd MBA/
Configure QEMU to enable all of the MBA features.
To enable a MBA feature individually, please refer to
$ ./configure --target-list=x86_64-softmmu --enable-mba-all
Compile MBA. (May take a while, use
Start MBA with the prepared Win10_64bit image in QCOW2 format.
Due to the implementation issue, 2048MB RAM and 16GB disk space for the guest OS are recommended.
$ ./x86_64-softmmu/qemu-system-x86_64 \ -m 2048 \ -hda \ -net nic,model=rtl8139 -net user \ -k en-us -usb \ -monitor stdio \ -vnc :1
Now the VNC server should be able to connect to via the port 5901.
The APIs of each MBA extension can be found in the under the
extdirectory. e.g. ext/dift.h for APIs of the DIFT extension
Chi-Wei, Wang [email protected]
Chia-Wei, Wang [email protected]
Chong-Kuan, Chen [email protected]
Hao, Li [email protected]
Jui-Chien, Jao [email protected]
Chuan-Hua, Cheng [email protected]
E-Lin, Ho [email protected]
Distributed System and Network Security Lab, National Chiao-Tung University, Taiwan