Reverse Engineering with Hypervisors

Presented at REcon 2010, July 11, 2010, 11 a.m. (60 minutes)

Hypervisors make very good tools to aide in reverse engineering. This talk will concentrate on two related areas: Modifications to the Ether system made to improve unpacking capabilities. I will highlight my method for more accurate OEP detection, PE rebuilding, and using the Windows memory management data structures to more accurately recover the import table. I will also show my improvements to VERA, a visualization tool to make reverse engineering drastically faster.

Presenters:

• Danny Quist
  Danny Quist is the CEO and founder of Offensive Computing, LLC. He holds a Ph.D. from the New Mexico Institute of Mining and Technology. Danny is the founder of Offensive Computing, an open malware research site. His interests include malware defense, reverse engineering, software and hardware xploitation, virtual machines, and automatic executable classification systems. He has presented at Blackhat, the RSA Conference, Shmoocon, and Defcon.

Links:

• https://recon.cx/2010/speakers.html#hypervisor

Similar Presentations:

• Black Hat USA 2014 / Poacher Turned Gamekeeper: Lessons Learned from Eight Years of Breaking Hypervisors
• GrrCON 2019 / Reverse Engineering Malware for N00bs
• ToorCon: Seattle 2008 / Reverse Engineering Cookbook