VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Emulation: Transposition of Control (From Anti-Virus to Virus)

Valhalla #2
March 2012

[Back to index] [Comments]


In the last few years, sandboxing and emulation have become vital for anti-virus detection mechanisms. By a rather shaky definition, emulation is composed of two different execution environments, one of which has a control over the other. AV emulators generally have two separated CPUs and thread contexts, despite running on only one thread.

It is possible to harness the power of emulation for the purpose of securing a virus payload (or body) code. Emulation can also be used to increase the complexity of reverse engineering (especially debugging). An obvious red flag would be common decryption loops: once control is passed to the payload, it becomes easier for the AV to perform analysis on the decrypted image. Hence, it also becomes possible to reduce heuristic analysis through the use of an emulator.

win32.evenstar utilizes a prototype x86 pseudo-emulator. The virus body is encrypted instruction by instruction using a basic xor algorithm, although it is certainly possible to install a more sophisticated encryption scheme.

[Read the article]

By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! aka