Covert Debugging: Circumventing Software Armoring Techniques presented at BlackHatDC 2007

by Danny Quist, Valsmith ,

URL : https://www.blackhat.com/presentations/bh-usa-07/Quist_and_Valsmith/Presentation/bh-usa-07-quist_and_valsmith.pdf

Summary : Software armoring techniques have increasingly created problems for reverse engineers and software analysts. As protections such as packers, run-time obfuscators, virtual machine and debugger detectors become common newer methods must be developed to cope with them. In this talk we will present our covert debugging platform named Saffron. Saffron is based upon dynamic instrumentation techniques as well as a newly developed page fault assisted debugger. We show that the combination of these two techniques is effective in removing armoring from the most advanced software armoring systems. As a demonstration we will automatically remove packing protections from malware.

Danny Quist: Danny Quist is the CEO and founder of Offensive Computing, LLC. His research is in automated analysis methods for malware with software and hardware assisted techniques. He has written several defensive systems to mitigate virus attacks on networks and developed a generic network quarantine technology. He consults with both private and public sectors on system and network security. His interests include malware defense, reverse engineering, exploitation methods, virtual machines, and automatic classification systems. Danny holds a Ph.D. from the New Mexico Institute of Mining and Technology.