• caglararli@hotmail.com
  • 05386281520

Is there a way to record CPU operations for a given process as they occur in a standard, production OS environment?

Çağlar Arlı      -    36 Views

Is there a way to record CPU operations for a given process as they occur in a standard, production OS environment?

Doing malware analysis I'm interested in being able to log every instruction the CPU executes for a given process. I was hoping this was perhaps possible in a standard VM environment, even if not possible in a bare-metal execution scenario. I'm interested specifically in Windows 10 for now.

To be clear, I don't mean inside a debugger or special emulator sandbox designed specifically for malware detection. That's going to be detectable by the attacker and can be bypassed. I'm thinking of an approach where we monitor the execution on our real, production machines (perhaps having all systems operate as VMs/hypervisors if necessary) and as the forbidden tools execute we analyze and detect the behavior fingerprint. This would include any dynamically allocated executable data, for example data made executable after a VirtualProtect call.

Solutions I'm considering

Processors already handle context switches as a regular part of multi-threaded architectures, for example Hyper Threading, and I guess one way to describe what I'm interested in doing is to track the state of one of those contexts as the VM simulates it.

Considering a general arithmetic addition operation A = B+1. The instruction is stored in the instruction register and the program counter is incremented. A and B are read from memory and are stored in registers R1, R2 respectively. In this case, B+1 is calculated and written in R1 as the final answer. This operation as there are sequential reads and writes and there's no waits for function calls used, hence no context switch/wait takes place in this case. - source

Perhaps I would need to hijack the VM's implementation of this process to track which process is currently in filling the register state and insert some code in the VM's hyperthreading emulation code to store that state somewhere else each time it updates?

Perhaps that's overkill. Perhaps no VMs actually virtualize systems on such a low level to make this possible. I'm still learning about the lower level working of VMs. I would expect such low-level emulation to cause a significant performance hit, especially if we're recording register states between each instruction - a massive performance hit probably.

Question

Can this be achieved with existing virtual machine tools, or why not? What features should I look to in VM software or Windows OS documentation? Or rather, will I almost certainly have to make low-level modifications to a VM product to create a custom solution for doing this? Or perhaps would a new kind of VM have to be built to essentially do this kind of instruction processing virtualization?