Recon 2025 - Attacking modern software protection with Dynamic Binary Instrumentation скачать в хорошем качестве

Recon 2025 - Attacking modern software protection with Dynamic Binary Instrumentation

Recon 2025 - Attacking modern software protection with Dynamic Binary Instrumentation Presenter: Holger Unterbrink Once confined to advanced malware, modern software protections—such as anti-debugging routines, anti-tamper mechanisms, and aggressive obfuscation—are now commonplace in commercial DRM and even in standard malware by using commercial protectors. These defenses significantly hinder traditional static analysis and debugger-based approaches, often concealing critical behavioral logic deep within runtime layers. Dynamic Binary Instrumentation (DBI) offers a compelling alternative by enabling real-time observation and manipulation of program execution. Unlike static techniques, DBI frameworks can bypass or neutralize many anti-analysis tricks by instrumenting instructions at runtime, providing unmatched visibility into program behavior and bypass some of the anti-analyzing techniques. This talk opens with a focused introduction to DBI concepts, exploring its architectural model, strengths, and where it best complements reverse-engineering workflows. We’ll then dive into DynamoRIO, a powerful open-source DBI framework supporting IA-32, AMD64, ARM, and AArch64 on Windows, Linux, and Android. Through practical examples, we’ll demonstrate how to develop a custom tracer and dumper capable of: Capturing instruction-level execution (code trace) Inspecting memory-resident objects and runtime data Dumping unpacked code segments for offline analysis Attendees will gain hands-on insights into dealing with real-world complexities like multithreaded execution, process spawning, and anti-debugging countermeasures. We’ll also show how to feed collected runtime data back into tools like IDA Pro to enrich static analysis with dynamic context. This talk is a hands-on, experience-driven walkthrough by someone who has spent over seven years building tools with DynamoRIO—including the now-archived DDR tool, which won the IDA Plugin Contest in 2020. Attendees will learn how to develop a DynamoRIO client from scratch. The session concludes with the public release of a DynamoRIO-based tracer, giving participants a practical foundation and template for integrating DBI into their own analysis pipelines. Talk Outline Introduction to DBI concepts DBI in malware analysis Intro to DynamoRIO and its position in Dynamic Binary Instrumentation (DBI) Architecture and execution model Building a minimal but extensible client Instruction-level tracing and manipulation Runtime memory inspection and string/object extraction Dumping memory and reconstructing PE files Running your client against real-world malware Enrich IDA IDB with DBI collected information Tips for extending your tool further Where to find help for own projects