Windows Defender under the microscope: a reverse engineer's perspective

Presented at VB2018, Oct. 4, 2018, 11:30 a.m. (30 minutes).

*Windows Defender*'s MpEngine.dll implements the core of *Defender*'s anti-virus functionality in an enormous ~11MB, 45,000+ function DLL. In 2017 and early 2018, I spent months reverse engineering* Defender*'s JavaScript and *Windows* binary emulators as a personal project after Tavis Ormandy's release of 0-days in the engine piqued my interest. While my previous conference presentations have covered the deep technical inner workings of the engine, in this presentation I'd like to share a reverse engineer's perspective on *Defender*. How I, as an industry outsider, went about reverse engineering the engine, interacting with it, and fuzzing it. Attendees will take away insights as to how reverse engineers might approach their emulators, the sort of intuition about an attack surface that a vulnerability researcher might bring to this analysis, and ultimately how they might better protect against researchers like me in the future.

Presenters:

  • Alexei Bulazel - ForAllSecure
    Alexei Bulazel Alexei Bulazel is a security researcher at ForAllSecure. He has previously presented at research on reverse engineering anti-virus software at venues such as Black Hat, REcon, and ShmooCon, among others; and has published scholarly work on evasive malware techniques at USENIX WOOT and ROOTS. A graduate of Rensselaer Polytechnic Institute (RPI) and a proud alumnus of RPISEC, Alexei completed his M.S. under Dr Bülent Yener. @0xAlexei

Links:

Similar Presentations: