Covert Debugging: Circumventing Software Armoring Techniques

Presented at DEF CON 15 (2007), Aug. 3, 2007, 2 p.m. (50 minutes)

Software armoring techniques have increasingly created problems for reverse engineers and software analysts. As protections such as packers, run-time obfuscators, virtual machine and debugger detectors become common newer methods must be developed to cope with them. In this talk we will present our covert debugging platform named Saffron. Saffron is based upon dynamic instrumentation techniques as well as a newly developed page fault assisted debugger. We show that the combination of these two techniques is effective in removing armoring from the most advanced software armoring systems. As a demonstration we will automatically remove packing protections from malware.

Presenters:

• Valsmith - Cofounder, Offensive Computing, LLC
  Valsmith has been involved in the computer security community and industry for over ten years. He currently works as a professional security researcher on problems for both the government and private sectors. He specializes in penetration testing (over 40,000 machines assessed), reverse engineering and malware research. He works on the Metasploit Project development team as well as other vulnerability development efforts. Most recently Valsmith founded Offensive Computing, a public, open source malware research project. Valsmith is also a member of the Cult of the Dead Cow NSF.
• Danny Quist - Cofounder, Offensive Computing, LLC
  Danny Quist is currently the CEO and co-founder of Offensive Computing, LLC a public malware research site as well as a consulting company. He is a PhD student at New Mexico Tech working on automated analysis methods for malware with software and hardware assisted techniques. He has written several defensive systems to mitigate virus attacks on networks and developed a generic network quarantine technology. He consults both with both private and public sectors on system and network security . His interests include malware defense, reverse engineering, exploitation methods, virtual machines, and automatic classification systems.

Links:

• https://defcon.org/html/defcon-15/dc-15-speakers.html#Quist
• https://infocon.org/cons/DEF CON/DEF CON 15/DEF CON 15 video/DEF CON 15 - Quist and Valsmith - Covert Debugging - Video.mp4
• https://www.youtube.com/watch?v=IeMCCZD5kVA

Similar Presentations:

• Black Hat Asia 2015 / DABiD: The Powerful Interactive Android Debugger for Android Malware Analysis
• REcon 2008 / Helikaon Linux Debuger