Event

Event
12:00
-
12:25
Day 1
Invisible Hypervisors: Stealthy Malware Analysis with HyperDbg
UB5.132
English
Assembly-Event
<p>HyperDbg is a modern, open-source hypervisor-based debugger supporting both user- and kernel-mode debugging. Operating at the hypervisor level, it bypasses OS debugging APIs and offers stealthy hooks, unlimited simulated debug registers, fine-grained memory monitoring, I/O debugging, and full execution control, enabling analysts to observe malware with far greater reliability than traditional debuggers.</p> <p>When it comes to debugger stealthiness and sandboxing, environment artifacts can reveal the presence of analysis tools - particularly under nested virtualization. To address this issue, we present HyperEvade, a transparency layer for HyperDbg. HyperEvade intercepts hypervisor-revealing instructions, normalizes timing sources, conceals virtualization-specific identifiers, and emulates native hardware behavior, reducing the observable footprint of the hypervisor.</p> <p>While perfect transparency remains a future endeavour, HyperEvade significantly raises the bar for stealthy malware analysis. By suppressing common detection vectors, it enables more realistic malware execution and reduces evasion, making HyperDbg a more dependable tool for observing evasive or self-protective malware. This talk covers HyperDbg’s architecture and features, HyperEvade’s design, and practical evaluation results.</p> <p>Resources:</p> <ul> <li> <p>HyperDbg repository: https://github.com/HyperDbg/HyperDbg/</p> </li> <li> <p>Documentation: https://docs.hyperdbg.org/</p> </li> <li> <p>Kernel-mode debugger design: https://research.hyperdbg.org/debugger/kernel-debugger-design/</p> </li> <li> <p>Research paper: https://dl.acm.org/doi/abs/10.1145/3548606.3560649</p> </li> </ul>