Explore techniques for deobfuscating API functions in modern packers during this 42-minute Black Hat conference talk. Learn about static and dynamic API obfuscation methods used by malware to hinder analysis. Discover a novel approach using memory access analysis to map obfuscated API functions to their original counterparts, overcoming limitations of pattern matching and code optimization techniques. Examine the iterative run-until-API method for handling static obfuscation, leveraging dynamic binary instrumentation with Intel Pin to identify real API functions without full system emulation. Gain insights into applying these deobfuscation techniques to Themida 32/64 packed binaries, enabling analysis with common reverse engineering tools like x64dbg, Ollydbg, and IDA Pro.
API Deobfuscator - Resolving Obfuscated API Functions in Modern Packers
Overview
Syllabus
API Deobfuscator: Resolving Obfuscated API Functions In Modern Packers
Taught by
Black Hat
Related Courses
-
API Deobfuscator - Identifying Runtime-Obfuscated API Calls Via Memory Access Analysis
-
Deobfuscate UEFI - BIOS Malware and Virtualized Packers
-
Pindemonium - A DBI-Based Generic Unpacker for Windows Executable
-
A New Trend for the Blue Team - Using a Symbolic Engine to Detect Evasive Forms of Malware - Ransomware
-
The Art of Reverse Engineering Flash Exploits
