Reverse Engineering By Crayon: Game Changing Hypervisor Based Malware Analysis and Visualization

DEF CON 17

Presented by: Roger Dingledine, Kurt Opsahl
Date: Friday July 31, 2009
Time: 15:30 - 17:20
Location: Track 1
Track: Track 1

Recent advances in hypervisor based application profilers have changed the game of reverse engineering. These powerful tools have made it orders of magnitude easier to reverse engineer and enabled the next generation of analysis techniques. We will also present and release our tool VERA, which is an advanced code visualization and profiling tool that integrates with the Ether Xen extensions. VERA allows for high-level program monitoring, as well as low-level code analysis. Using VERA, we'll show how easy the process of unpacking armored code is, as well as identifying relevant and interesting portions of executables. VERA integrates with IDA Pro easily and helps you to annotate the executable before looking at a single assembly instruction. Initial testing with inexperienced reversers has shown that this tool provides an order of magnitude speedup compared to traditional techniques.

Danny Quist

<strong>Danny</strong> is currently CEO and co-founder of Offensive Computing, LLC, a security vulnerability consulting company. He is a Ph.D. candidate at New Mexico Tech working on automated analysis methods for malware using software and hardware assisted techniques. He holds a patent for a network quarantine system. His research interests include reverse engineering and exploitation methods.

Lorie M. Liebrock

<strong>Lorie M. Liebrock</strong> Bio to come


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats