Helikaon Linux Debuger

Presented at REcon 2008, June 14, 2008, 10 a.m. (60 minutes)

The Linux OS is not immune to malware and viruses. The reverse engineer is faced with fighting though anti-debugging protections when trying to understand these binaries. This can be a tedious and time consuming process. COTS debuggers, such as GDB and IDA Pro, are detected in Linux utilizing a variety of anti-debugging techniques. I have developed a stealthy Linux-driver-based debugger named "Helikaon" that will aid the reverse engineer in debugging a running executables without being detected. Guest Helikaon injects a jump at runtime from kernel land into a user mode running process rather than using standard debugger breakpoints like "INT 3" or DR0-DR7 hardware registers. Find out alternate techniques for dynamic analysis in the Linux environment.


Presenters:

  • Jason Raber
    I serve as the technical lead for the Riverside Research Institute Red Team which provides government and commercial entities with specialized software security support. Focus areas include: o Reverse Engineering: Specializes in extracting intellectual property from a broad spectrum of software. This includes user applications, DLLs, drivers, OS kernels, and firmware. The software can be based on a variety of platforms (Windows/Linux/Mac/Embedded, etc.). o Malware/Virus/RootKit Analysis: Identifies and analyzes intrusion software to characterize and/or neutralize the threat. I have spent seven years in the world of reverse engineering, preceded by five years working at Texas Instruments developing Compiler tools for DSPs (code generators, assemblers, linkers, disassemblers, etc.). Developing C compilers for five years prior to reverse engineering has provided a good foundation for understanding machine language and hardware to be utilized in reverse engineering tasks.

Links:

Similar Presentations: