Presentation Title: Malware - Behavior, Tools, Scripting and Advanced Analysis
In this talk I will introduce a previously unreleased, new tool; an extension to Bochs, a popular open-source CPU emulator. This extension will provide with advanced debugging and scripting functionality enabling the easy creation of a wide range of tools. The scripting interface of this tool provides a full Python environment to control the whole CPU, memory, devices, etc. Among the examples that will be presented, time allowing, will be generic unpacking techniques, monitoring of malware behavior or low-level system access to kernel/administrative objects. The tool was created to assist the process of automated malware analysis but its flexibility make it a good candidate to also assist in vulnerability discovery.
The talk will first detail the architecture of the Bochs CPU emulator and quickly review some of its advantages over other systems. Secondly the extension will be introduced together will small usage examples. As a third and final part, different projects developed on top of this tool (such a generic malware unpacker or a monitor of an executable’s activity) will be previewed.
This tool will be open-source.
Ero Carrera is currently a reverse engineering automation researcher at zynamics GmbH (was SABRE Security Gmbh), home of BinDiff and BinNavi. He is a recurring trainer at the trainings held by Black Hat conference. Ero has previously spent several years as a Virus Researcher at F-Secure where his main duties ranged from reverse engineering of malware to research in analysis automation methods. Prior to F-Secure, he was involved in miscellaneous research and development projects and always had a passion for mathematics, reverse engineering and computer security.
While at F-Secure he advanced the field of malware classification introducing a joint paper with Gergely Erdelyi on applying genomic methods to binary structural classification. Other projects he’s worked on include seminal research on generic unpacking. Additionally, Ero is a habitual lurker on OpenRCE and has contributed to miscellaneous reverse engineering tools such as pydot, ida2sql, Pythonika and the broadly used pefile.