NorthSec 2020 (Online Edition)

Dynamic Data Resolver IDA plugin – Extending IDA with dynamic data
2020-05-15, 10:10–10:55, Twitch

Dynamic Data Resolver IDA plugin – Extending IDA with dynamic data

This IDA Plugin is instrumenting the binary using the DynamoRIO framework. It can resolve most of the dynamic values for registers and memory locations which are usually missed in a static analysis. It can help to find jump locations e.g. call eax or interesting strings e.g. “PE” which are decoded at runtime. You can also instrument the binary in a way that it can dump interesting buffers and last but not least you have several options to patch the binary at runtime to avoid anti-analyzing functions.

The talk would first describe the basics about the DynamoRIO instrumentation framework and then the capabilities, architecture and features of the plugin, followed by a live demo. The plugin can significantly improve the analyzing time of malware samples.

Holger is working for Cisco Talos, the threat research organization of Cisco. Our goal is to find and reverse engineer new unknown malware campaigns. My team uncovered attacks like NotPetya, WannaCry, DNSpionage, SeaTurtle and many more. I am frequently presenting on internal and external conferences, for example: Microsoft Digital Crime Consortium (DCC), Google Annual RE Meeting, FIRST, ISC, 4th International Conference on Cybersecurity and Privacy Balkan, BSIDES Munich, SecIT Germany, CiscoLive and more.