Learn, hack!

Hacking and security documentation: slides, papers, video and audio recordings. All in high-quality, daily updated, avoiding security crap documents. Spreading hacking knowledge, for free, enjoy. Follow on .

Virt-ICE: next generation debugger for malware analysis

debugger, malware, malware analysis
Kuniyasu Suzaki, Quynh Nguyen Anh
Black Hat USA 2010
Indexed on
Mar 27, 2013
File name
File size
461.7 KB

Dynamic malware analysis is an important method to analyze malware. The most important tool for dynamic malware analysis is debugger. However, because debuggers are originally built by software developers to debug legitimate software, they have some significant flaws against malware. First of all, malware can easily detect the presence of debugger with various tricks. Another fundamental problem is that because malware run in the same security domain with debugger, they can potentially tamper with the debugger, and prevent it from functioning correctly. Unfortunately, all of the above drawbacks are unfixable in the current architecture. This research presents a new debugger named Virt-ICE, which is designed to address the problems of current malware debuggers. Using virtualization technology, Virt-ICE is totally invisible to malware, thus renders most available anti-debugging techniques useless. Thanks to the isolation provided by virtual machine, Virt-ICE is out of the reach of malware, and cannot be tampered with. Another advantage of Virt-ICE is that unlike many other popular debuggers, it can deal with ring-0 code, therefore it has no issue handling kernel rootkits. Virt-ICE also offers a novel event-based method to intercept malware execution, which can help to improve the debugging efficiency. Finally, Virt-ICE includes some built-in automatic malware analysis facilities to give the analysts more information on malware, so they can reduce the time on the job by focusing their debugging efforts on important points. We conclude the talk with some live demos to show how Virt-ICE can debug some real malware.

About us

Secdocs is a project aimed to index high-quality IT security and hacking documents. These are fetched from multiple data sources: events, conferences and generally from interwebs.


Serving 8166 documents and 531.0 GB of hacking knowledge, indexed from 2419 authors from 163 security conferences.


To support this site and keep it alive, you can click on the buttons below. Any help is really appreciated! This service is provided for free, but real money is needed to pay bills.

Flattr this Click here to lend your support to: Keep live SecDocs for an year and make a donation at www.pledgie.com !