SBIR-STTR Award

Software protections mechanisms are a means for preventing piracy, alteration, and reverse engineering of critical national security software and data. Kernel-mode software protection techniques utilize, in-part, rootkit-like methods that provide anti-piracy and anti-reverse engineering protection to critical software applications. The fundamental difficulty associated with rootkits and software protection mechanisms are that they each wish to hide some aspect of their operation from outside observation. In striving to remain unobserved both types of software may spend some amount of time "on the lookout" for tools that may be used to thwart their respective efforts. The goal of this work is to design and prototype a toolset that can be used for unobserved, dynamic reverse engineering of software programs even when those software programs employ tamper-proofing and anti-reverse engineering techniques. The target programs may exist within a lab or upon production machinery. As such, the technology must be in-field deployable into existing machine environments. HBGary offers kernel mode reverse engineering tools to assist in analysis rootkits and overcome tamper-proofing techniques.

The Air Force Research Lab’s Software Protection Initiative has a mission to prevent unauthorized distribution and exploitation of application software critical to national security. That mission has led to investment to develop advanced software protections, including the use of rootkit-like methods that provide anti-piracy and anti-reverse engineering protection critical to software applications. Malicious attackers use rootkit technology to hide their presence and behaviors on compromised computer systems. Gaining better understanding of the tactics and techniques of malicious rootkit users will assist in the development of better detection capabilities and countermeasures for those attacks as well as assist AT-SPI to enhance the protection strength of its kernel-mode software protection technologies. HBGary proposes to develop a Software Protection Analyzer (“SPA”) with a Kernel Virtual Machine to detect, analyze and assess the types of software protection employed on a system and to assist engineers who are attempting to reverse engineer such mechanisms. The SPA will probe volatile memory to identify hidden or protected software. The system will analyze the defense mechanisms that the software employs and generate a report of its findings. It will also facilitate tracing and recovery of kernel and protected software and its defenses against reverse engineering.

Keywords:
Kernel Virtual Machine, Software Protection, Rootkits, Malware, Reverse Engineering, Dynamic Analysi