An algorithm for scheduling of threads for system and application code split approach in dynamic malware analysis

This paper discusses the development of tools for dynamic malware analysis. The main idea is to provide total control over a suspicious sample execution on the test computer. The approach we propose is to separate the application code from the system code by using memory page access control. Thus, we are able to detect all system API calls and non-standard ways to transfer the control flow. Our tools (codename ToolChain) intentionally consist of a Control module, a Scheduling module, and a Cloaking module. In our previous paper, we focused mainly on the Control module. In this paper, we introduce the Scheduling module. In case of multithreaded applications, we split threads into two pools, executing different code classes. We describe the hierarchical multiprocessor fair scheduling algorithm built upon Windows Round Robin with Priorities. In addition, we consider related cloaking techniques to hide performance degradation and the presence of the Scheduling module.