Covert Debugging: Circumventing Software Armoring Techniques

Presented at DEF CON 15 (2007), Aug. 3, 2007, 2 p.m. (50 minutes).

Software armoring techniques have increasingly created problems for reverse engineers and software analysts. As protections such as packers, run-time obfuscators, virtual machine and debugger detectors become common newer methods must be developed to cope with them. In this talk we will present our covert debugging platform named Saffron. Saffron is based upon dynamic instrumentation techniques as well as a newly developed page fault assisted debugger. We show that the combination of these two techniques is effective in removing armoring from the most advanced software armoring systems. As a demonstration we will automatically remove packing protections from malware.


Presenters:

  • Danny Quist - Cofounder, Offensive Computing, LLC
    Danny Quist is currently the CEO and co-founder of Offensive Computing, LLC a public malware research site as well as a consulting company. He is a PhD student at New Mexico Tech working on automated analysis methods for malware with software and hardware assisted techniques. He has written several defensive systems to mitigate virus attacks on networks and developed a generic network quarantine technology. He consults both with both private and public sectors on system and network security . His interests include malware defense, reverse engineering, exploitation methods, virtual machines, and automatic classification systems.
  • Valsmith - Cofounder, Offensive Computing, LLC
    Valsmith has been involved in the computer security community and industry for over ten years. He currently works as a professional security researcher on problems for both the government and private sectors. He specializes in penetration testing (over 40,000 machines assessed), reverse engineering and malware research. He works on the Metasploit Project development team as well as other vulnerability development efforts. Most recently Valsmith founded Offensive Computing, a public, open source malware research project. Valsmith is also a member of the Cult of the Dead Cow NSF.

Links:

Similar Presentations: