Class Central is learner-supported. When you buy through links on our site, we may earn an affiliate commission.

YouTube

Binee - Complete Emulation of Advanced Malware

BasisTech via YouTube

Overview

Explore advanced malware emulation techniques in this conference talk from OSDFCon 2019. Dive into Binee, a new Windows Process emulator that creates a nearly identical Windows process memory model, mimics the OS kernel, and outputs detailed function call descriptions. Learn how Binee collects dynamic analysis data at speeds comparable to static analysis tools, including obfuscated or packed function calls. Discover the debug mode resembling gdb, allowing for breaking, memory and register modifications, and function parameter adjustments. Understand Binee's potential as a framework for future projects, including ELF and Mach-O binary support. Gain insights into rapid examination of control flow and function arguments, valuable for reverse engineers and vulnerability researchers. Follow the speaker's journey through overcoming challenges in PE emulation, implementing hook tables, parsing ApiSet abstraction layers, and creating mock file systems and registry subsystems. Explore the process of implementing missing hooks and increasing emulation fidelity for comprehensive malware analysis.

Syllabus

Intro
The Problem: getting information from binaries Each sample contains some total set of information. Our goal is to extract as much of it as possible
Our Goal: Reduce cost of information extraction
The How: Emulation
Existing PE Emulators
Requirements: What are we adding/extending from current work?
Build hook table by linking DLLs outside emulator
Overcoming Microsoft's ApiSet abstraction layer Parse Api SetSchema.dil (multiple versions) and load proper real dll.
What is the minimum that the malware needs in order to continue proper execution?
Requirements for hooking
Two types of hooks in Binee
Example: Entry point execution
Userland structures, TIB/PEB/kshareduser
Starting with the Mock File System
Creating Files in the Mock File Subsystem
Mock Registry Subsystem
Configuration files defines OS environment quickly
Mocked Threading Round robin scheduler approximately simulates a multi-thread environment.
Increasing fidelity with proper Di Main execution
ROP Gadgets - an easy shortcut to loading DLLS
How can I get started?
Implement a missing hook: an example
Implement a missing hook: function documentation SearchPathA function
Implement a missing hook: create a full hook
Implement a missing hook: rinse, repeat

Taught by

BasisTech

Reviews

Start your review of Binee - Complete Emulation of Advanced Malware

Never Stop Learning.

Get personalized course recommendations, track subjects and courses with reminders, and more.

Someone learning on their laptop while sitting on the floor.