HALF: Hollowing Analysis Framework for Binary Programs with Kernel Module Assistance
Abstract
Binary program analysis represents a fundamental pillar of modern system security. Fine-grained methodologies like dynamic taint analysis still suffer from deployment complexity and performance overhead despite significant progress. Traditional in-process analysis tools trigger severe address-space conflicts that inevitably disrupt the native memory layout of the target. These conflicts frequently cause layout-sensitive exploits and evasive malware to deviate from their intended execution paths or fail entirely. This paper introduces HALF as a novel framework that resolves this fundamental tension while ensuring both analysis fidelity and practical performance. HALF achieves high-fidelity address-space transparency by leveraging a kernel-assisted process hollowing mechanism. This design effectively eliminates the observation artifacts that characterize traditional instrumentation tools. We further mitigate the synchronization latency of decoupled execution by implementing an exception-driven strategy via a lightweight kernel monitor. Extensive evaluation of a Windows-based prototype demonstrates that HALF maintains superior performance compared to conventional in-process baselines. HALF also provides unique capabilities for deconstructing complex, stealthy threats where existing frameworks fail to maintain execution integrity.
Turn this paper into a full lesson
ArcXiv compiles a staged curriculum from this paper: 8-12 lessons across beginner → advanced, synthesised section guides, visuals, flashcards, a quiz, exercises, and on-demand deep dives per section. Grounded in the abstract, never invented.