Home

Awesome

screenshot

Hunting hidden shellcode via syscall summaries

You can roughly determine an executable's purpose from its Import Table (or ImpHash). <br/>Or, better yet, from a summary of its capabilities extracted by automated static analysis of callsites and parameters.

This project is the runtime equivalent.

Using kernel ETW telemetry, we record the set of interesting syscalls (plus interesting parameters).

Malware can't use anti-analysis approaches to hide from the kernel at runtime. If (user-mode) malware needs to make syscalls to perform tasks then it must make those calls.

Anomalies in this set for a given process should have sufficient information to identify the presence of malicious code on the system. However, the profile will not have sufficient granularity to establish a perfect timeline of events.

See [Black Hat Asia 2023] You Can Run, but You Can't Hide - Finding the Footprints of Hidden Shellcode for more details.

Notes