Dive into a 35-minute conference talk from Recon 2022 that explores the intricate workings of Wslink, a sophisticated loader associated with the Lazarus group. Uncover the advanced virtual machine obfuscator protecting Wslink samples and learn about the multiple layers of obfuscation techniques employed, including junk code insertion, virtual operand encoding, and nested VMs. Follow along as the speaker, Vladislav Hrčka, an experienced malware analyst from ESET, presents a semiautomatic approach to deobfuscating the VM's internals. Gain insights into the symbolic execution method used to extract virtual opcode semantics and understand how treating certain VM constructs as concrete values enables automatic handling of additional obfuscation techniques. Compare the deobfuscation results against non-obfuscated samples to validate the effectiveness of this approach in reverse engineering challenging malware.
Under the Hood of Wslink Multilayered Virtual Machine
Overview
Syllabus
Recon 2022 - Under the hood of Wslink multilayered virtual machine
Taught by
Recon Conference
Related Courses
-
Under the Hood of Wslink Multilayered Virtual Machine
-
The Next Generation of Virtualization Based Obfuscators
-
Press Play To Restart - Under the Hood of the Windows Restart Manager
-
Defeating APT10 Compiler-level Obfuscation
-
Deobfuscate UEFI - BIOS Malware and Virtualized Packers
-
Bringing the Power of Symbolic Execution to the Fight Against Malicious Excel 4 Macros
