Advanced Software Armoring and Polymorphic Kung Fu

Presented at DEF CON 16 (2008), Aug. 10, 2008, 11 a.m. (50 minutes)

This presentation discusses the techniques employed by a new anti-reverse engineering tool named PE-Scrambler. Unlike a traditional executable packer which simply compresses or encrypts the original executable, this tool has the ability to permanently modify the compiled code itself. With the ability to modify compiled programs at the instruction level a vast array of Anti-Reverse Engineering techniques are possible that would traditionally have been performed only by hand by seasoned hackers. In addition to thwarting a would-be reverse engineer, the tool has the ability to randomly modify code in a program in a fashion that keeps the functionality of the program in-tact. This is useful for modifying a program to defeat signature recognition algorithms such as those used in Anti-Virus programs. In this presentation we will discuss several of these Anti-Reverse Engineering and Polymorphic techniques in depth. A new technique and tool for detecting armored and packed binaries will also be discussed and demonstrated. In addition to learning about two new security tools, attendees will learn state-of-the-art anti-disassembly and anti debugging techniques. Attendees' eyes will be opened to the vast world of possibility that lies in the future for binary armoring and develop a true contempt for the binary packers of today.

Presenters:

• Nick Harbour - Principal Consultant, Mandiant
  Nick Harbour is a Principal Consultant with Mandiant. He specializes in Malware Analysis and Incident Response as well as both offensive and defensive research and development. He also occasionally teaches malware analysis and reverse engineering. Nick's nine year history in the security industry began as a researcher and forensic examiner at the DoD Computer Forensics Lab (DCFL) where he helped pioneer the field of computer forensics. Nick is a developer of open source software including most notably dcfldd, the popular forensic disk imaging tool, tcpxtract, a tool for carving files out of network traffic and Mandiant Red Curtain, a tool for identifying malicious binaries. Nick is also a trained chef!

Links:

• https://defcon.org/html/defcon-16/dc-16-speakers.html#Harbour
• https://infocon.org/cons/DEF CON/DEF CON 16/DEF CON 16 video/DEF CON 16 - Nick Harbour - Advanced Software Armoring - Video.mp4
• https://www.youtube.com/watch?v=tvcazKkbhBE

Similar Presentations:

• VB2018 / Unpacking the packed unpacker: reversing an Android anti-analysis library
• ShmooCon I (2005) / Reverse Engineering for Fun and BoF It!
• Black Hat USA 2018 / Unpacking the Packed Unpacker: Reverse Engineering an Android Anti-Analysis Native Library