Malware Software Armoring Circumvention presented at ShmooCon 2008

by Danny Valsmith,

Tags: Security Malware

Summary : Software armoring techniques have increasingly created problems for reverse engineers and software security analysts. As protections such as packers, run-time obfuscators, virtual machine and debugger detectors become common, newer methods must be developed to cope with them. In this talk we will present our forensically sound debugging platform named Saffron. Saffron is based upon dynamic instrumentation techniques as well as a page fault assisted debugger. We show that the combination of these two techniques is effective in removing armoring from most software armoring systems.
Bio - Danny Quist
Software armoring techniques have increasingly created problems for reverse engineers and software security analysts. As protections such as packers, run-time obfuscators, virtual machine and debugger detectors become common, newer methods must be developed to cope with them. In this paper we will present our covert debugging platform named Saffron. Saffron is based upon dynamic instrumentation techniques as well as a newly developed page fault assisted debugger. We show that the combination of these two techniques is effective in removing armoring from most software armoring systems.
Bio - Valsmith
Valsmith has been involved in the computer security community and industry for over ten years. He currently works as a professional security researcher on problems for both the government and private sectors. He specializes in penetration testing (over 40,000 machines assessed), reverse engineering and malware research. Valsmith is a member of the Cult of the Dead Cow Ninja Strike Force. He also works on the Metasploit project as well as other vulnerability development efforts and can be seen every year at Blackhat/Defcon.