Dynamic Binary Instrumentation Frameworks: I know you're there spying on me

Presented at REcon 2012, June 16, 2012, 2 p.m. (60 minutes)

Debuggers have been -and still are- the de-facto tool for dynamicanalysis of programs. In the last decade a myriad of techniques todetect the presence of these kind of tools have been developed as adefensive measure to avoid the analysis of code during runtime.Over the past few years, an alternative for dynamic code analysisappeared: Dynamic Binary Instrumentation (DBI) frameworks. These havegained popularity in the information security field, and their usage forreverse engineering tasks is increasing. Nowadays we have DBI-basedtools that allow us to perform different kinds of jobs, such as covertdebugging, shellcode detection, taint analysis, instruction tracing,automatic unpacking, and self-modifying code analysis, among others.We believe that as DBI framework-based reverse engineering tools gainpopularity, defensive techniques to avoid dynamic code analysis throughinstrumentation will arise. Our research pretends to be the startingpoint in the task of documenting and presenting different techniques todetect the presence of DBI framework-based tools.During our talk we will show over a dozen techniques that can be used todetermine if our code is being instrumented focusing on Pin, Intel's DBIframework. We will also release a benchmark-like open source tool, whichallows to automatically test every technique discussed in the talk. Wecall this tool eXait, the eXtensible Anti-Instrumentation Tester.



Similar Presentations: