Visual Malware Reversing - Offensive Computing

Recommendations

Info

Determining DLL Address Space • Old Method – Attach to process via debugger interface – Call windows APIs to query address module – Resolve addresses from the DLL listings • Problems – Hypervisor has no access to internal Windows APIs – Access to APIs would violate sterility of guest environment (DETECTION) – No real way to extract data we need
Import Repair Process • New Method – Use kernel memory management data structure • Virtual Address Descriptor – VAD – Each process has a VAD to describe memory usage – OS uses VADs to interact with CPU MMU – Very accurate use of process space • Data Structure - Balanced Binary Tree – Address space – Size of memory region – Execution flags – Module memory mapping This is all the information needed to rebuild imports
Page 1 and 2: Visual Malware Reversing How to Sto
Page 3 and 4: Goals • Identify structure of mal
Page 5 and 6: Complexities of Reverse Engineering
Page 7 and 8: What is VERA? • Visualizing Execu
Page 9 and 10: What the Colors Mean • Yellow - N
Page 11 and 12: Ether Improvements • Import recon
Page 13 and 14: Imported API Recovery • Removing
Page 15 and 16: Which is easier to read? No Imports
Page 17: Import Repair Process • Each impo
Page 21 and 22: Original Entry Point Detection •
Page 23 and 24: Problems with Ether • Heavy-weigh
Page 25 and 26: Veratrace Demonstration Demo 2
Page 27 and 28: Caveat Emptor • Intel PIN is very
Page 29 and 30: VERA Analysis Machine VERA - IDA Pl
Page 31 and 32: Future Work • Memory usage analys
Page 33: http://www.offensivecomputing.net/v

Visual Malware Reversing - Offensive Computing

Create successful ePaper yourself

Delete template?

Save as template?