'0x3E9 Ways to DIE': Introducing Dynamic IDA Enrichment framework (a.k.a DIE)

Presented at REcon 2015, June 20, 2015, 11 a.m. (60 minutes)

Along the years many attempts have been made to combine static and dynamic analysis results. Some were good, other were bad, however the fact is that those two approaches still remain mostly separated as most analysis tools focus on one of them only. For many years, this lack of integration and mental passing of data between static and dynamic tools has caused lot of frustration among researchers. This was the main motivation in creating DIE. DIE is a new Hex-Rays IDA plugin that crosses the static-dynamic gap directly into the native IDA GUI. It gives the researcher access to runtime values from within his standard dissembler screen. As opposed to previous projects with similar goals, DIE takes a different approach by using an extensive plugin framework which allows the community to constantly add logic in order to better analyze and optimize the retrieved runtime values. With a click of a button, everything is accessible to the researcher: he can inspect handles passed to a function, analyze injected code or runtime strings, enumerate dynamic structures, follow indirect function calls and more (and the list keeps on growing). All of this happens without the researcher ever leaving his comfortable dissembler screen. Even better, as DIE is tightly coupled with IDA, it will basically support any architecture, data type or signature supported by IDA. DIE currently has a small but well-respected community of contributors. Starting with the alpha version, DIE users have been able to cut their research time by 20%-40%. As complex reverse engineering tasks may take several weeks or even several months to complete, DIE has already proved to be a valuable resource and a prominent part of the researcher`s toolkit. My talk introduces DIE for the very first time to the research community. I explain the basic idea behind DIE, describe its architecture, and show live examples of how to use its extensive plugin framework to speed up the research process. The talk includes *live examples* which have been carefully selected from real research projects in various security fields and demonstrate how DIE can be used to speed up bypassing software protections, unpack malware, and super-quickly locate a malware de-obfuscation functions.

Presenters:

• Yaniv Balmas

Links:

• https://recon.cx/2015/schedule/events/15.html

Similar Presentations:

• 33C3 (2016) / Warum in die Ferne schweifen, wenn das Ausland liegt so nah?: Erinnerungen aus dem virtuellen Ausland in Frankfurt, Germany
• 33C3 (2016) / Zwischen Technikbegeisterung und kritischer Reflexion: Chaos macht Schule
• 30C3 (2013) / Keine Anhaltspunkte für flächendeckende Überwachung: Die Diskussion um NSA, PRISM, Tempora sprachlich und logisch aufgearbeitet