Reverse Engineering By Crayon: Game Changing Hypervisor Based Malware Analysis and Visualization

Presented at DEF CON 17 (2009), July 31, 2009, 3:30 p.m. (50 minutes).

Recent advances in hypervisor based application profilers have changed the game of reverse engineering. These powerful tools have made it orders of magnitude easier to reverse engineer and enabled the next generation of analysis techniques. We will also present and release our tool VERA, which is an advanced code visualization and profiling tool that integrates with the Ether Xen extensions. VERA allows for high-level program monitoring, as well as low-level code analysis. Using VERA, we'll show how easy the process of unpacking armored code is, as well as identifying relevant and interesting portions of executables. VERA integrates with IDA Pro easily and helps you to annotate the executable before looking at a single assembly instruction. Initial testing with inexperienced reversers has shown that this tool provides an order of magnitude speedup compared to traditional techniques.


Presenters:

  • Danny Quist - CEO, Offensive Computing
    Danny is currently CEO and co-founder of Offensive Computing, LLC, a security vulnerability consulting company. He is a Ph.D. candidate at New Mexico Tech working on automated analysis methods for malware using software and hardware assisted techniques. He holds a patent for a network quarantine system. His research interests include reverse engineering and exploitation methods.
  • Lorie M. Liebrock - New Mexico Tech Computer Science Department
    Lorie M. Liebrock Bio to come

Links:

Similar Presentations: