2020-05-15, 10:00–13:00, Workshop Track 2
Discover practical advanced binary analysis techniques like code emulation, symbolic execution and dynamic instrumentation to help dealing with and understanding obfuscated and packed executables.
This workshop introduces advanced binary analysis concepts that are often required when reverse engineering executables protected by digital rights management (DRM) solutions or malicious software that attempts to hide behavior through code obfuscation and various indirections.
Participants will work on a tailor-made binary that simulates a packed and obfuscated malware dropper and apply the techniques presented to defeat its obfuscation and unpack each stage in order to recover and analyze the final payload. The solution to each stage will be shown and explained in detail. At the end of the workshop, attendees will be able to write emulation scripts using Python and Unicorn engine, use dynamic instrumentation to automate unpacking and perform selective symbolic execution and constraint solving to analyze program behavior.
The workshop will cover the following topics:
- A brief introduction to the tools and frameworks
- Overview of common obfuscation techniques
- Metamorphic Code
- Opaque Predicates
- In-memory decryption
- In-memory packing
- Analysis Techniques
- Code Emulation
- Symbolic Execution
- Dynamic Instrumentation
- Emulating a shellcode decryption routine and dropper using Unicorn
- Dynamic Instrumentation to retrieve unpacked payload
- Partial symbolic execution to solve metamorphic transformations