REVERSE ENGINEERING WINDOWS DEFENDER ANTIVIRUS

Presented at Summercon 2018, June 29, 2018, 4 p.m. (50 minutes)

Windows Defender Antivirus' MpEngine.dll implements the core of Defender's functionality in an enormous ~11 MB, 30,000+ function DLL. Based on months of personal research time spent reverse engineering Defender, I'll cover my findings on Defender's dynamic analysis systems, custom tooling that I built to enable my analysis, and various ways that malicious code can give Defender trouble.

Presenters:

• Alexei Bulazel
  Alexei Bulazel (@0xAlexei) is a security researcher at ForAllSecure. He also provides expertise on reverse engineering and cyber policy at River Loop Security. Alexei has previously presented his research at venues such as Black Hat, REcon Brussels, and ShmooCon, among others, and has published scholarly work at the USENIX Workshop on Offensive Technologies (WOOT) and the Reversing and Offensive-oriented Trends Symposium (ROOTS). A graduate of Rensselaer Polytechnic Institute (RPI) and a proud alumnus of RPISEC, Alexei completed his MS under Dr. Bülent Yener. @0xAlexei

Links:

• https://www.summercon.org/archives/2018/presentations.html#reverse-engineering-defender

Similar Presentations:

• Black Hat USA 2018 / Windows Offender: Reverse Engineering Windows Defender's Antivirus Emulator
• DEF CON 26 (2018) / Reverse Engineering Windows Defender's Emulator
• REcon 2018 / Reverse Engineering Windows Defender Part II: The Windows Binary Emulator