Presented at Black Hat USA 2010
July 29, 2010, 11:15 a.m.
When analyzing large binary objects such as process memory dumps, proprietary data files, container file formats, and network flow payloads, security researchers are limited by the tiny textual window a hex editor and common command line utilities typically provide.
To the uninitiated, these objects may appear to be homogeneous, but -- as reverse engineers know -- in reality they consist of many diverse parts: text, images, compressed data, encrypted regions, audio samples, data structures, and much more. Some of these parts are instantly recognizable to a seasoned reverser, and the nature of others (e.g., compressed data) may be guessed when suitably depicted. Yet, visual classification remains arcane and unaided by convenient tools that would both present objects at a glance and help segment them.
The authors of this talk attempt to remedy this. The authors have laboriously gathered, cataloged, and studied forms of binary structure and will present a (concise) "visual dictionaries" of the binary structures you find in the wild and in the lab. You will see and understand the constituent parts found within binary objects, essential knowledge for the reverser, forensic analyst, and security researcher. You will be far better prepared to dissect proprietary data files, conduct memory forensics and deeply analyze any large binary object you may encounter.