Complex malware samples feature measures to impede automatic and manual analyses, making their investigation cumbersome. While automatic characterization of malware benefits from recently proposed designs for passive monitoring, the subsequent dissection process still sees human analysts struggling with adversarial behaviors, many of which also closely resemble those studied for automatic systems. This gap affects the day-to-day analysis of complex samples and researchers have not yet attempted to bridge it. We make a first step down this road by proposing a design that can reconcile transparency requirements with manipulation capabilities required for dissection. Our open-source prototype BluePill (i) offers a customizable execution environment that remains stealthy when analysts intervene to alter instructions and data or run third-party tools, (ii) is extensible to counteract newly encountered anti-analysis measures using insights from the dissection, and (iii) can accommodate program analyses that aid analysts, as we explore for taint analysis. On a set of highly evasive samples BluePill resulted as stealthy as commercial sandboxes while offering new intervention and customization capabilities for dissection.

中文翻译：

---

关于逃避恶意软件的剖析

复杂的恶意软件样本具有阻止自动和手动分析的措施，从而使调查麻烦。尽管恶意软件的自动表征受益于最近提出的用于被动监视的设计，但随后的解剖过程仍使人类分析家在对抗行为方面挣扎，其中许多行为也与针对自动系统的研究非常相似。这种差距影响了对复杂样品的日常分析，研究人员尚未尝试弥补这一差距。我们通过提出一种可以使透明度要求与解剖所需的操纵能力相协调的设计，迈出了第一步。我们的开源原型BluePill（i）提供了可自定义的执行环境，当分析师干预更改指令和数据或运行第三方工具时，该环境仍然隐身 （ii）可扩展，以利用解剖中的见解来抵消新遇到的反分析措施，并且（iii）可以容纳有助于分析人员的程序分析，因为我们将进行污点分析。在一组高度逃避的样本上，BluePill像商业沙箱一样隐身，同时提供了用于解剖的新干预和自定义功能。