Virtual Machine Introspection Based on System Calls and Kernel Data Structures

The semantic gap is one of the key problems in developing solutions for full-system dynamic analysis. At the hypervisor level, tools have access only to low-level binary data, while analysis requires high-level information about the state of guest operating system objects. Virtual machine introspection approaches solve this problem. Unfortunately, implementations of existing approaches face performance issues and lack of functionality. They require the user to embed special agents into the virtual machine image or have debugging symbols for the OS kernel. They also turn out to work only for specific systems and processor architectures. The article presents a number of solutions that reduce overhead and increase the versatility of the analysis tool. The peculiarity of the developed introspection approach is that it does not require any additional actions from the user, collecting the information necessary for analysis during the OS boot on the emulator.

1. Tamas K. Lengyel, Steve Maresca, Bryan D. Payne, George D. Webster, Sebastian Vogl, and Aggelos Kiayias. 2014. Scalability, fidelity and stealth in the DRAKVUF dynamic malware analysis system. In Proceedings of the 30th Annual Computer Security Applications Conference (ACSAC '14). Association for Computing Machinery, New York, NY, USA, 386–395. DOI: 10.1145/2664243.2664252.

2. Jennia Hizver and Tzi-cker Chiueh. 2014. Real-time deep virtual machine introspection and its applications. In Proceedings of the 10th ACM SIGPLAN/SIGOPS international conference on Virtual execution environments (VEE '14). Association for Computing Machinery, New York, NY, USA, 3–14. DOI: 10.1145/2576195.2576196.

3. TEMU: The BitBlaze dynamic analysis component. Available at: http://bitblaze.cs.berkeley.edu/temu.html, accessed 07.10.2025.

4. Andrew Henderson, Aravind Prakash, Lok Kwong Yan, Xunchao Hu, Xujiewen Wang, Rundong Zhou, and Heng Yin. 2014. Make it work, make it right, make it fast: building a platform-neutral whole-system dynamic binary analysis platform. In Proceedings of the 2014 International Symposium on Software Testing and Analysis (ISSTA 2014). Association for Computing Machinery, New York, NY, USA, 248–258. DOI: 10.1145/2610384.2610407.

5. B. Dolan-Gavitt, J. Hodosh, P. Hulin, T. Leek, R. Whelan. Repeatable Reverse Engineering with PANDA. 5th Program Protection and Reverse Engineering Workshop, Los Angeles, California, December 2015.

6. Richard Golden, Andrew Case, and Lodovico Marziale. 2010. Dynamic Recreation of Kernel Data Structures for Live Forensics. Digital Investigation 7(2010), pp. 32–40.

7. Heng Yin, Dawn Song, Manuel Egele, Christopher Kruegel, and Engin Kirda. 2007. Panorama: Capturing system-wide information flow for malware detection and analysis. In Proceedings of the 14th ACM Conference on Computer & Communications Security. pp. 116–127.

8. Shuhui Zhang, Xiangxu Meng, and Lianhai Wang. 2016. An adaptive approach for Linux memory analysis based on kernel code reconstruction. EURASIP Journal on Information Security 2016, 1 (2016), p. 14.

9. Fellicious, Christofer & Reiser, Hans & Granitzer, Michael. (2025). Bridging the Semantic Gap in Virtual Machine Introspection and Forensic Memory Analysis. Available at: 10.48550/arXiv.2503.05482, accessed 07.10.2025.

10. Fabian Franzen, Tobias Holl, Manuel Andreas, Julian Kirsch, and Jens Grossklags. 2022. Katana: Robust, Automated, Binary-Only Forensic Analysis of Linux Memory Snapshots. In 25th International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2022), October 26–28, 2022, Limassol, Cyprus. ACM, New York, NY, USA, 18 p.

11. Qian Feng, Aravind Prakash, Minghua Wang, Curtis Carmony, and Heng Yin. 2016. Origen: Automatic extraction of offset-revealing instructions for cross-version memory analysis. In Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security. pp. 11–22.

12. Qemu. A generic and open source machine emulator and virtualizer. Available at: https://www.qemu.org/, accessed 07.10.2025.

13. Shuhui Zhang, Xiangxu Meng, and Lianhai Wang. 2016. An adaptive approach for Linux memory analysis based on kernel code reconstruction. EURASIP Journal on Information Security 2016, 1 (2016), 14.