Related papers: HALF: Process Hollowing Analysis Framework for Binary Programs with the Assistance of Kernel Modules

HALF: Process Hollowing Analysis Framework for Binary Programs with the Assistance of Kernel Modules

URL: http://arxiv.org/abs/2512.22043v1
Date: Fri, 26 Dec 2025 14:34:30 GMT
Title: HALF: Process Hollowing Analysis Framework for Binary Programs with the Assistance of Kernel Modules
Authors: Zhangbo Long, Letian Sha, Jiaye Pan, Dongpeng Xu, Yifei Huang, Fu Xiao,
Abstract summary: This paper presents a new binary program analysis framework, in order to improve the usability and performance of fine-grained analysis.<n>The framework mainly uses the kernel module to further expand the analysis capability of the traditional dynamic binary instrumentation.<n>It can reuse the functions of the existing dynamic binary instrumentation platforms and also reduce the impact on the execution of the target program.
Score: 10.10348463565392
License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
Abstract: Binary program analysis is still very important in system security. There are many practical achievements in binary code analysis, but fine-grained analysis such as dynamic taint analysis, is constantly studied due to the problem of deployability, high memory usage, and performance overhead, so as to better adapt to the new analysis scenario, such as memory corruption exploits and sandbox evasion malware. This paper presents a new binary program analysis framework, in order to improve the usability and performance of fine-grained analysis. The framework mainly uses the kernel module to further expand the analysis capability of the traditional dynamic binary instrumentation. Then, based on the idea of decoupling analysis, the analysis environment is constructed in the container process through process hollowing techniques in a new way. It can reuse the functions of the existing dynamic binary instrumentation platforms and also reduce the impact on the execution of the target program. The prototype is implemented on the Windows platform. The validity and performance of the framework are verified by a large number of experiments with benchmark and actual programs. The effectiveness of the framework is also verified by the analysis of actual exploit programs and malicious code, demonstrating the value of the practical application.

Related papers

An Explainable Memory Forensics Approach for Malware Analysis [1.2744523252873352]
Memory forensics is an effective methodology for analyzing living-off-the-land malware.<n>In this paper, we propose an explainable, AI-assisted memory forensics approach.<n>We apply the proposed methodology to both Windows and Android malware.
arXiv Detail & Related papers (2026-02-23T13:30:04Z)
InspectCoder: Dynamic Analysis-Enabled Self Repair through interactive LLM-Debugger Collaboration [71.18377595277018]
Large Language Models (LLMs) frequently generate buggy code with complex logic errors that are challenging to diagnose.<n>We present InspectCoder, the first agentic program repair system that empowers LLMs to actively conduct dynamic analysis via interactive debugger control.
arXiv Detail & Related papers (2025-10-21T06:26:29Z)
Training Language Models to Generate Quality Code with Program Analysis Feedback [66.0854002147103]
Code generation with large language models (LLMs) is increasingly adopted in production but fails to ensure code quality.<n>We propose REAL, a reinforcement learning framework that incentivizes LLMs to generate production-quality code.
arXiv Detail & Related papers (2025-05-28T17:57:47Z)
BinMetric: A Comprehensive Binary Analysis Benchmark for Large Language Models [50.17907898478795]
We introduce BinMetric, a benchmark designed to evaluate the performance of large language models on binary analysis tasks.<n>BinMetric comprises 1,000 questions derived from 20 real-world open-source projects across 6 practical binary analysis tasks.<n>Our empirical study on this benchmark investigates the binary analysis capabilities of various state-of-the-art LLMs, revealing their strengths and limitations in this field.
arXiv Detail & Related papers (2025-05-12T08:54:07Z)
The Hitchhiker's Guide to Program Analysis, Part II: Deep Thoughts by LLMs [17.497629884237647]
BugLens is a post-refinement framework that significantly enhances static analysis precision for bug detection.<n>LLMs demonstrate promising code understanding capabilities, but their direct application to program analysis remains unreliable.<n>LLMs guide LLMs through structured reasoning steps to assess security impact and validate constraints from the source code.
arXiv Detail & Related papers (2025-04-16T02:17:06Z)
Beyond the Edge of Function: Unraveling the Patterns of Type Recovery in Binary Code [55.493408628371235]
We propose ByteTR, a framework for recovering variable types in binary code.<n>In light of the ubiquity of variable propagation across functions, ByteTR conducts inter-procedural analysis to trace variable propagation and employs a gated graph neural network to capture long-range data flow dependencies for variable type recovery.
arXiv Detail & Related papers (2025-03-10T12:27:05Z)
ReF Decompile: Relabeling and Function Call Enhanced Decompile [50.86228893636785]
The goal of decompilation is to convert compiled low-level code (e.g., assembly code) back into high-level programming languages.<n>This task supports various reverse engineering applications, such as vulnerability identification, malware analysis, and legacy software migration.
arXiv Detail & Related papers (2025-02-17T12:38:57Z)
Fast and Efficient What-If Analyses of Invocation Overhead and Transactional Boundaries to Support the Migration to Microservices [0.3222802562733786]
Microservice architecture improves agility and maintainability of software systems.<n>Decomposing existing software into out-of-process components can have a severe impact on non-functional properties.<n>What-if analyses allow to explore different scenarios and to develop the service boundaries in an iterative and incremental way.
arXiv Detail & Related papers (2025-01-30T09:42:56Z)
Technical Upgrades to and Enhancements of a System Vulnerability Analysis Tool Based on the Blackboard Architecture [0.0]
Generalization logic building on the Blackboard Architecture's rule-fact paradigm was implemented in this system. The paper concludes with a discussion of avenues of future work, including the implementation of multithreading.
arXiv Detail & Related papers (2024-09-17T05:06:42Z)
LLMDFA: Analyzing Dataflow in Code with Large Language Models [8.92611389987991]
This paper presents LLMDFA, a compilation-free and customizable dataflow analysis framework. We decompose the problem into several subtasks and introduce a series of novel strategies. On average, LLMDFA achieves 87.10% precision and 80.77% recall, surpassing existing techniques with F1 score improvements of up to 0.35.
arXiv Detail & Related papers (2024-02-16T15:21:35Z)
BiBench: Benchmarking and Analyzing Network Binarization [72.59760752906757]
Network binarization emerges as one of the most promising compression approaches offering extraordinary computation and memory savings. Common challenges of binarization, such as accuracy degradation and efficiency limitation, suggest that its attributes are not fully understood. We present BiBench, a rigorously designed benchmark with in-depth analysis for network binarization.
arXiv Detail & Related papers (2023-01-26T17:17:16Z)
Comparative Code Structure Analysis using Deep Learning for Performance Prediction [18.226950022938954]
This paper aims to assess the feasibility of using purely static information (e.g., abstract syntax tree or AST) of applications to predict performance change based on the change in code structure. Our evaluations of several deep embedding learning methods demonstrate that tree-based Long Short-Term Memory (LSTM) models can leverage the hierarchical structure of source-code to discover latent representations and achieve up to 84% (individual problem) and 73% (combined dataset with multiple of problems) accuracy in predicting the change in performance.
arXiv Detail & Related papers (2021-02-12T16:59:12Z)

This list is automatically generated from the titles and abstracts of the papers in this site.