D-TIME is a runtime obfuscation framework for malware in Windows. The framework was developed as a part of my Master's Project and published in WOOT'19. In addition to D-TIME, the paper also introduces SCBC, a robust covert broadcasting channel for Windows as well as Linux based operating systems.
An important aspect of malware design is to be able to evade detection.
This is increasingly difficult to achieve with powerful runtime detection
techniques based on behavioural and heuristic analysis.
In this paper, we propose D-TIME, a new
D-TIME splits a malware executable into small chunks of instructions and
executes one chunk at a time in the context of an infected thread.
It uses a Microsoft Windows feature called
Asynchronous Procedure Call (APC)
to facilitate chunk invocation; shared memory to coordinate between chunk
executions; and a novel
We evaluate D-TIME on a Microsoft Windows system with six different malware and demonstrate its undetectability with 10 different anti-virus software. We also study the CPU usage and its influence on Performance Counters.