Dive into an in-depth exploration of Windows Defender Antivirus' core functionality through this conference talk from Recon 2018. Uncover the intricacies of Defender's proprietary emulator for analyzing potentially malicious Windows PE binaries on endpoints. Learn about groundbreaking reverse engineering techniques for antivirus binary emulators, including instrumentation for observation and debugging, virtual environment components, bytecode lifting and execution, memory management, and emulation of usermode Windows API and NT kernel. Discover how file system and registry emulation integrate with Defender's antivirus features. Gain insights from security researcher Alexei Bulazel as he shares his expertise on emulator internals and reverse engineering, offering a unique perspective on Windows Defender's mpengine.dll and its vast functionality.
Overview
Syllabus
Recon 2018 - Reverse Engineering Windows Defender Part II
Taught by
Recon Conference