Using RDMA during malware research
During my malware research i have encountered thousands of samples.
most research labs uses same methods during their sample analysis, they all uses emulators or any other kind of virtualization implementation.
the problem start when trying to analyze well defended malwares, i.e. malwares which uses good packers, antivm and anti debugging technique (and no im not talking about IsDebuggerPresent).
since defeating packers is not an easy task nor fast one (even killer researcher can spend hours breaking unknown packers) i usually prefer to execute the malware on real machine and dump the machine memory.
for this kind of apporach i used my own driver which simply dump the kernel memory to disk and then im starting to grab essentials clues.
the problem with this approach is that its kinda post Morten, cannot be performed in real time, most descent malwares will wipe any traces and for those which are not persistence this technique wont do any good..
not long ago, i read an article about the solution for process migration in HPC (high performance computing) clusters, the idea is to use RDMA which stands for (remote direct memory access) simply as that, meaning i can get access to memory with out CPU cycles.
the only obstacle is that only infiband (switched fabric communications link) and 10gb ethernet cards support RDMA so for this method you will need to own one :) i got mine for less then 100 U.S.D on eBay.
after installing the card and tweaking the driver i wrote simple client which actually can connect to the remote machine NIC using RDMA feature and query memory segments of my analyzed malware machine.
im now being able to read sensitive information during malware execution.
why im writting this? since i think it can contribute a lot overcoming tough bins and its neat.
for more details about my project, leave me a buz at:
udi at kernelhacking.com or visit my blog: