Detección de frameworks dinámicos de instrumentación binaria

Viernes 27 - 17:20

Nahuel Riva y Francisco Falcon, Core Security

La charla va a ser en español.

Resumen: For some years now we have an alternative for dynamic code analysis: Dynamic Binary Instrumentation (DBI) frameworks. These have gained popularity in the information security field, and its usage for reverse engineering tasks is increasing. Nowadays we have DBI-based tools that allow us to perform different kinds of jobs, such as covert debugging, shellcode detection, taint analysis, instruction tracing, automatic unpacking, and self-modifying code analysis, among others. We believe that as DBI frameworks-based reverse engineering tools will gain popularity, defensive techniques to avoid dynamic code analysis through instrumentation will arise. Our research pretends to be the starting point in the task of documenting and presenting different techniques to detect the presence of DBI frameworks-based tools. During our talk we will show more than a dozen techniques that can be used to determine if our code is being instrumented, focusing on Pin, the Intel's DBI framework. Besides that, we'll also release a benchmark-like tool (eXait, the eXtensible Anti-Instrumentation Tester), which allows to automatically test every technique discussed during our talk.

Acerca del expositor: Nahuel Riva contribuye a la comunidad de la seguridad informática desde 2003. Desde 2007 trabaja en el equipo de des arrolladores de exploits Core y se concentra en vulnerabilidades en Windows. Además, ha descubierto vulnerabilidades en software, publicado advertencias de seguridad y desarrollado una herramienta para limpiar hooks en la SSDT. Nahuel también es un experto en cracking y ha dictado cursos en Ekoparty 210 y 2011. Francisco Falcon trabaja en ingeniería inversa desde 2004. Ha publicado advertencias de seguridad detallando vulnerabilidades encontradas por el en productos desarrollados por IBM, Oracle, Novell y Google.