Process Stalking: Run Time Visual RCE

Presented at REcon 2005, June 17, 2005, 4:30 p.m. (60 minutes).

In today's world, closed-source software dominates the desktop and much of the server room. While a variety of tools and methodologies exist for security research in open-source software, binary analysis remains a mostly unexplored field. Post discovery and 0day vulnerability researchers heavily rely on reverse code engineering (RCE) to accomplish their work. The purpose of this talk is to introduce the art and science of "Process Stalking" to the general public. "Process Stalking" is a term coined to describe the combined process of run-time profiling, state mapping and tracing using visual tools. In this presentation I will outline a methodology that can be consistently applied when conducting RCE for all purposes and will demonstrate a custom toolset that can be utilized in automating the process. I will conclude with live walk throughs allowing the attendee to see the pieces of the presentation come into life. Attendee's should have experience with x86 assembly (especially win32 generated code), a background in security and experience with debuggers and disassemblers.


Presenters:

  • Pedram Amini
    Pedram Amini is the Assistant Director of iDEFENSE Labs and reigning iDEFENSE foosball champion. Despite the fancy titles he spends most of his time in the shoes of a security researcher where he is responsible for conducting vulnerability research, tearing apart unknown/malicious binaries, and developing reverse engineering tools and methodologies. He has recently spent much of his time developing automation tools, plug-ins and scripts for software like IDA Pro and OllyDbg. Pedram graduated from Tulane University with a computer science degree in 2002 and has been employed with iDEFENSE since.

Links:

Similar Presentations: