Presented at
REcon 2008,
June 14, 2008, 10 a.m.
(60 minutes).
The Linux OS is not immune to malware and viruses. The reverse engineer is faced with fighting though anti-debugging protections when trying to understand these binaries. This can be a tedious and time consuming process. COTS debuggers, such as GDB and IDA Pro, are detected in Linux utilizing a variety of anti-debugging techniques. I have developed a stealthy Linux-driver-based debugger named "Helikaon" that will aid the reverse engineer in debugging a running executables without being detected. Guest Helikaon injects a jump at runtime from kernel land into a user mode running process rather than using standard debugger breakpoints like "INT 3" or DR0-DR7 hardware registers. Find out alternate techniques for dynamic analysis in the Linux environment.
Presenters:
-
Jason Raber
I serve as the technical lead for the Riverside Research Institute Red Team which provides government and commercial entities with specialized software security support. Focus areas include:
o Reverse Engineering: Specializes in extracting intellectual property from a broad spectrum of software. This includes user applications, DLLs, drivers, OS kernels, and firmware. The software can be based on a variety of platforms (Windows/Linux/Mac/Embedded, etc.).
o Malware/Virus/RootKit Analysis: Identifies and analyzes intrusion software to characterize and/or neutralize the threat.
I have spent seven years in the world of reverse engineering, preceded by five years working at Texas Instruments developing Compiler tools for DSPs (code generators, assemblers, linkers, disassemblers, etc.). Developing C compilers for five years prior to reverse engineering has provided a good foundation for understanding machine language and hardware to be utilized in reverse engineering tasks.
Links:
Similar Presentations: