Hi, I am a newbie of QEMU. I want to use the QEMU for the dynamic analysis of malware, usually called “taint analysis”. The main idea is to tag data from some specific sources, for example, network packets, files in a harddisk, and user inputs and so on, and then trace the propagation of the tagged data in the system. Once the tagged data is maliciously used, an alarm is raised.
To build an analysis environment, I need to solve the following problems: (1) Make the shadow memory for each process under analysis. How can I make the shadow memory in QEMU? I think I can partition the memory of QEMU into two blocks, one for the process under analysis, the other for the process’s shadow memory. Is that right? (2) Tracing propagation of tagged data is implemented in the instruction level. That is to say, for example, if the source operand of an instruction is tagged, then the destination operand of the instruction is also tagged. How can I implement the idea? Should I modify the instruction translation functions to add code for tagging and recompile QEMU? (3) In the process of analyzing malware, two types of semantic information should be combined. One from the OS, including process information, stack information, heap information and so on; the other from the QEMU, including mostly the tag propagation information. The question is, how can I code to relate both of the information? That is to say, how to make QEMU receive information from OS, and how to make OS receive information from QEMU? Sorry for writing so much, and thank you very much for your time! I am a newbie of QEMU, and you need ONLY BRIEFLY tell me what do read, where to search, or how to try, if the answer is too complex. Of course, detailed instructions are VERY MUCH WELCOMED! Thank you very much in advance! Best regards F. Zhang
