Sandbagility - Reverse Engineering Framework for Windows dynamic analysis: Hypervisor based introspection framework for Microsoft Windows for reverse engineering

Presented at REcon 2018, June 17, 2018, 10:30 a.m. (30 minutes)

There mainly three different approaches in malware reverse engineering: static, dynamic and sandboxed analysis. The last approach is the fastest way to get some information, if the malware is not designed to detect, escape or avoid sandboxes. In this case, the analyst must do some static or dynamic analysis, which can be much slower. Sandbagility is a Hypervisor based introspection framework for Microsoft Windows designed for reverse engineering. This framework was developed to offer a hybrid solution between dynamic and sandbox analysis and reduce analysis time. It was written in Python and is currently based on a [modified version of VirtualBox hypervisor](https://winbagility.github.io/). It was thought to be stealthy, adaptive and easy to use. Our presentation will use a practical study case to describe the framework. The chosen case is a well-known one, which is wannacry (not for its technical level but for educational purposes).

Presenters:

• Eddy Deligne
  Deligne Eddy works at tge French Ministry of Defense (DGA) as a reverse engineer since 2014. He has a PhD in computer science, his thesis allowed him to deepen his knowledge on CPU virtualization technologies.
• François Khourbiga
  After more then fifteen years doing computer security for various french administrations, François Khourbiga is now a security engineer at [Orange Cyberdefense (https://cyberdefense.orange.com). He is manly interested in malware analysis.

Links:

• https://recon.cx/2018/montreal/schedule/events/143.html

Similar Presentations:

• ShmooCon IX (2013) / Mastiff: Automated Static Analysis Framework
• GrrCON 2019 / Reverse Engineering Malware for N00bs
• REcon 2013 / Hybrid Code Analysis: Overcoming Weaknesses of Dynamic Analysis in Malware Forensics