YoVDO

Binee - Complete Emulation of Advanced Malware

Offered By: BasisTech via YouTube

Tags

Open Source Digital Forensics Conference (OSDFCon) Courses Reverse Engineering Courses Malware Analysis Courses Dynamic Analysis Courses Vulnerability Research Courses

Course Description

Overview

Save Big on Coursera Plus. 7,000+ courses at $160 off. Limited Time Only!
Explore advanced malware emulation techniques in this conference talk from OSDFCon 2019. Dive into Binee, a new Windows Process emulator that creates a nearly identical Windows process memory model, mimics the OS kernel, and outputs detailed function call descriptions. Learn how Binee collects dynamic analysis data at speeds comparable to static analysis tools, including obfuscated or packed function calls. Discover the debug mode resembling gdb, allowing for breaking, memory and register modifications, and function parameter adjustments. Understand Binee's potential as a framework for future projects, including ELF and Mach-O binary support. Gain insights into rapid examination of control flow and function arguments, valuable for reverse engineers and vulnerability researchers. Follow the speaker's journey through overcoming challenges in PE emulation, implementing hook tables, parsing ApiSet abstraction layers, and creating mock file systems and registry subsystems. Explore the process of implementing missing hooks and increasing emulation fidelity for comprehensive malware analysis.

Syllabus

Intro
The Problem: getting information from binaries Each sample contains some total set of information. Our goal is to extract as much of it as possible
Our Goal: Reduce cost of information extraction
The How: Emulation
Existing PE Emulators
Requirements: What are we adding/extending from current work?
Build hook table by linking DLLs outside emulator
Overcoming Microsoft's ApiSet abstraction layer Parse Api SetSchema.dil (multiple versions) and load proper real dll.
What is the minimum that the malware needs in order to continue proper execution?
Requirements for hooking
Two types of hooks in Binee
Example: Entry point execution
Userland structures, TIB/PEB/kshareduser
Starting with the Mock File System
Creating Files in the Mock File Subsystem
Mock Registry Subsystem
Configuration files defines OS environment quickly
Mocked Threading Round robin scheduler approximately simulates a multi-thread environment.
Increasing fidelity with proper Di Main execution
ROP Gadgets - an easy shortcut to loading DLLS
How can I get started?
Implement a missing hook: an example
Implement a missing hook: function documentation SearchPathA function
Implement a missing hook: create a full hook
Implement a missing hook: rinse, repeat


Taught by

BasisTech

Related Courses

A Golden Ticket to the Cloud
BasisTech via YouTube ARTHIR - ATT&CK Remote Threat Hunting Incident Response Windows Tool
BasisTech via YouTube Autopsy's Year in Review - OSDFCon
BasisTech via YouTube Autopsy Scoring - Finding the Relevant Data with Analysis Results
BasisTech via YouTube Autopsy Update
BasisTech via YouTube