PreVice: Static Detection of Hooking Capabilities in Machine Code

Presented at REcon 2018, June 15, 2018, 4 p.m. (60 minutes)

In the future, static analysis catches hookers before they have a chance to act.

We present PreVice, a static analyzer that very quickly detects a variety of hooking capabilities--including Detours, import, and syscall hooking--in x86 and x64 Windows PEs. We discuss the inner workings of the static analyzer in theory and practice, and then we delve into some of the interesting things we found during a scan of many, many millions of files.

Presenters:

• Claudiu Teodorescu
  Claudiu Teodorescu is a Research Scientist with an extensive background in Computer Forensics, Cryptography and Reverse Engineering. Prior to joining Cylance, Claudiu worked for FireEye, in the FLARE (FireEye Labs Advanced Reverse Engineering) team as a Sr. Reverse Engineer, leading research projects such as WMI and Application Compatibility based malware persistence, Windows 10 RAM page compression and also serving as an instructor of FLARE's Advanced Malware Analysis course (BlackHat USA 2015, 2016). Prior to FireEye, he worked for Guidance Software as Principal Developer/Manager writing forensic parsers for different file formats, mail containers and integrations with different disk/volume/file-based encryption products to support the EnCase tool. Claudiu is the author of the WMI-parser tool to help IR teams forensically identify malware persistence.
• Derek Soeder
  Derek Soeder is a Principal Researcher at Cylance. He has reverse-engineered, prototyped, and programmed for offense and defense with a number of companies, including eEye Digital Security. Derek specializes in Windows internals and manipulating systems at a machine-code level.
• Andy Wortman
  Andy Wortman is currently focused on static analysis of compiled code, abstracting interesting aspects back to something amenable to machine (or human!) understanding. Andy has worked on disassemblers, decompilers, and static analysis at Cylance to advance its capabilities in program analysis and extracting program behavior. Aside from program analysis work, Andy is a fan of programming language theory, virtual machine and interpreter construction, ham radio, and astrophotography, and is always excited to talk about weird computers.

Links:

• https://recon.cx/2018/montreal/schedule/events/147.html

Similar Presentations:

• REcon 2006 / Secure Development with Static Analysis
• VB2018 / Android app deobfuscation using static-dynamic cooperation
• REcon 2015 / Hooking Nirvana: Stealthy Instrumentation Techniques for Windows 10