HALF: Hollowing Analysis Framework for Binary Programs with Kernel Module Assistance
Zhangbo Long, Letian Sha, Jiaye Pan, Dongpeng Xu, Yifei Huang, Fu Xiao
TL;DR
HALF addresses the enduring conflict between fidelity and performance in fine-grained dynamic binary analysis by using kernel-assisted process hollowing to create a hollowed container that shares the target's address layout. A lightweight instrumented target records dynamic events, while a separate analysis container performs heavyweight taint propagation under a same-address view, coordinated by a kernel monitor that uses exception-driven synchronization. Empirical results on Windows show substantial efficiency gains over in-process baselines, and HALF successfully analyzes layout-sensitive exploits and real malware where prior frameworks fail due to memory conflicts. The work demonstrates a practical, deployable approach to transparent binary analysis with strong isolation, enabling more accurate threat reproduction and analysis in security workflows.
Abstract
Binary program analysis represents a fundamental pillar of modern system security. Fine-grained methodologies like dynamic taint analysis still suffer from deployment complexity and performance overhead despite significant progress. Traditional in-process analysis tools trigger severe \textbf{address-space conflicts} that inevitably disrupt the native memory layout of the target. These conflicts frequently cause layout-sensitive exploits and evasive malware to deviate from their intended execution paths or fail entirely. This paper introduces \textbf{HALF} as a novel framework that resolves this fundamental tension while ensuring both analysis fidelity and practical performance. HALF achieves high-fidelity address-space transparency by leveraging a kernel-assisted process hollowing mechanism. This design effectively eliminates the observation artifacts that characterize traditional instrumentation tools. We further mitigate the synchronization latency of decoupled execution by implementing an exception-driven strategy via a lightweight kernel monitor. Extensive evaluation of a Windows-based prototype demonstrates that HALF maintains superior performance compared to conventional in-process baselines. HALF also provides unique capabilities for deconstructing complex, stealthy threats where existing frameworks fail to maintain execution integrity.
