Explore techniques for defeating the transparency feature of Dynamic Binary Instrumentation (DBI) systems in this Black Hat conference talk. Delve into the world of program analysis and malware detection as speakers Kang Li and Xiaoning Li demonstrate methods to break the transparency of popular DBI tools like DynamoRIO and PIN. Learn about specially crafted X86 instruction sequences that expose fundamental limitations of binary instrumentation and translation. Discover position-independent NOP sequences for evading detection and differentiating X86 decoders. Gain insights into the challenges faced by DBI tools, their importance in malware analysis, and the potential implications for program feature collection and virtual machine binary translations. Through various examples and demonstrations, understand the intricacies of binary instrumentation, code caching, and the artifacts that can reveal the presence of DBI systems.
Overview
Syllabus
Introduction
About Colin Lee
Binary Instrumentation
Observing Program Behavior
Code Cache
Dynamic Binary Instrumentation
Popular Tools
Transparency
Fuzzing
Run twice
Simple implementation artifacts
Checking the parent process
More clues
Another artifact
Summary
Quick Example
Fancy Examples
Simple Example
New Example
Initial Idea
What can we do
Developer feedback
Robin assays
Panning
Is it possible
The problem
Questions
Conclusion
Taught by
Black Hat
