BREAK OUT OF THE TRUMAN SHOW: ACTIVE DETECTION AND ESCAPE OF DYNAMIC BINARY INSTRUMENTATION presented at BlackHatAsia 2016

by Xiaoning Li, Ke Sun,

Summary : Dynamic Binary Instrumentation (DBI) is an important and powerful technique to analyze runtime code behaviors for different usage including performance tuning, instruction analysis, new processor feature simulation and so on. For these usages, reasonable transparency is good enough to minimize side effect and collect correct results. As the security community starts to extend DBI usage to security defense, it becomes very important to keep DBI tools fully transparent to the exploits/malware being analyzed. In past years, various approaches have been reported to make DBI environment detectable by the targeted code. Current DBI detection studies mainly focus on detection methods such as memory inspection, resource and performance monitor, etc.
Given the imperfection of the binary translation process, more active detection methods can be used by specifically designed code to target the bug or blind spots of the DBI tools and identify the presence of the DBI by the execution results.
This talk focuses on such active detection techniques by exploiting the weakness of the DBI tools such as the incapability of handling 32-bit/64-bit cross-mode codes and other bugs. Moreover, this presentation will discuss that the anti-DBI practice can be taken one step further - not only to detect the DBI environment, but also to escape from its control, and reverse the game.