Tripoux: Reverse Engineering of malware packers for dummies!

Joan Calvet 1
1 CARTE - Theoretical adverse computations, and safety
Inria Nancy - Grand Est, LORIA - FM - Department of Formal Methods
Abstract : In front of us stands a malware's protection layer with millions of assembly instructions and our goal is to understand what's going on. Developing a comprehensive understanding will allow us to unpack the original code, to build detection mechanisms for the malware family or to find interesting pieces of code. The purpose of this talk is to present a solution when one wants to understand a heavily obfuscated code containing a big amount of information. We first need to note that, when we speak of packer understanding, looking at system events like API calls is not enough: in most malwares' protection layers they represent only a small part of the code (and they are sometimes useless). One needs to play at assembly level, which is a hard and time-consuming task. We have thus built some tools to help. These tools come in two parts: 1. A program execution monitor using dynamic binary instrumentation associated with static information that provides two outputs: - an improved trace, containing a very detailed view of the program execution (memory access, time...), using a format which is easy to parse. - an events file, showing a high level view of the execution by displaying only some specific events, e.g. the loops, the API calls, the exceptions or the dynamic layers of code. Moreover, as we are dynamically monitoring the program execution, we can do better than just detect these events and we actually collect information about them, e.g. the arguments to API calls, the memory access made inside a loop, the exception error code, etc. 2. Some tools to rapidly exploit the previously collected information: - Two visualization tools: -> a --timeline-- based on the events previously detected: the user can navigate through the execution and see what kind of events happens. We also allow the user to define its own events on the execution trace and we display them on the timeline. Moreover the user can choose the abstraction level he wants to represent the execution. -> a --memory profile--, that is a memory view totally independent from the code itself, we only see its --effects--. It helps to diagnosis the code behaviour more easily than by reading millions of assembly instructions. - An inferring engine that uses rules defined either on the execution trace or on the memory profile (thus independent from the code in this case). It should be understood that we are not claiming to have built a --silver bullet-- for malware analysis, our tool is not the replacement of IDA Pro or OllyDbg. Its goal is to provide something that helps the standard RE work by providing ways to divide it in easier sub-parts, to bring some points where begin the investigation of new binaries or to rapidly recognize already seen behaviours. During the presentation we are going to apply our framework on some recent malware families and show its usefulness. We will also release the source code and we plan to set up a kind of sandbox analysis.
Type de document :
Communication dans un congrès
DeepSec 2010, Nov 2010, Vienna, Austria. 2010
Liste complète des métadonnées
Contributeur : Joan Calvet <>
Soumis le : mardi 16 novembre 2010 - 18:18:04
Dernière modification le : jeudi 11 janvier 2018 - 06:21:25


  • HAL Id : inria-00536727, version 1



Joan Calvet. Tripoux: Reverse Engineering of malware packers for dummies!. DeepSec 2010, Nov 2010, Vienna, Austria. 2010. 〈inria-00536727〉



Consultations de la notice