NorthSec 2020 (Online Edition)

Advanced Binary Analysis
2020-05-15, 10:00–13:00, Workshop Track 2

Discover practical advanced binary analysis techniques like code emulation, symbolic execution and dynamic instrumentation to help dealing with and understanding obfuscated and packed executables.

This workshop introduces advanced binary analysis concepts that are often required when reverse engineering executables protected by digital rights management (DRM) solutions or malicious software that attempts to hide behavior through code obfuscation and various indirections.

Participants will work on a tailor-made binary that simulates a packed and obfuscated malware dropper and apply the techniques presented to defeat its obfuscation and unpack each stage in order to recover and analyze the final payload. The solution to each stage will be shown and explained in detail. At the end of the workshop, attendees will be able to write emulation scripts using Python and Unicorn engine, use dynamic instrumentation to automate unpacking and perform selective symbolic execution and constraint solving to analyze program behavior.

The workshop will cover the following topics:

  • A brief introduction to the tools and frameworks
  • Overview of common obfuscation techniques
    • Metamorphic Code
    • Opaque Predicates
    • Virtualization
    • In-memory decryption
    • In-memory packing
  • Analysis Techniques
    • Code Emulation
    • Symbolic Execution
    • Dynamic Instrumentation
  • Exercises
    • Emulating a shellcode decryption routine and dropper using Unicorn
    • Dynamic Instrumentation to retrieve unpacked payload
    • Partial symbolic execution to solve metamorphic transformations

Workshops only: What level of knowlegde or prerequisites should participants have?

Participants should have a basic knowledge of x86-64 assembly and be comfortable reading C code. Experience in reverse engineering is recommended but not necessary and no prior experience with the presented techniques is required.

Workshops only: What materials (if any) should participants bring to the workshop?

A laptop running Linux and the following software is recommended for participants who wish to attempt the workshop exercises:

A Virtualbox image containing all the required tools will be provided at the start of the workshop. If planning to use the VM, it is recommended to arrive early to allow time for copying the files and setting up the computer.

Alexandre is a security researcher working for GoSecure. His area of expertise is reverse engineering, binary exploitation and tool development. His previous experience as a software developer covers a broad spectrum of topics ranging from low-level systems and binary protocols to web applications. Prior to joining the research team, Alexandre spent time as an Ethical Hacker honing his offensive security skills. His areas of interest include binary analysis, compiler theory and systems programming. Alexandre gives back to the Montréal infosec community by volunteering his time, contributing workshops and designing application security challenges for events like MontréHack and REcon.