Sandbagility - Reverse Engineering Framework for Windows dynamic analysis presented at ReconMontreal2018 2018

by Eddy Deligne, François Khourbiga,

Summary : There mainly three different approaches in malware reverse engineering: static, dynamic and sandboxed analysis. The last approach is the fastest way to get some information, if the malware is not designed to detect, escape or avoid sandboxes. In this case, the analyst must do some static or dynamic analysis, which can be much slower. Sandbagility is a Hypervisor based introspection framework for Microsoft Windows designed for reverse engineering. This framework was developed to offer a hybrid solution between dynamic and sandbox analysis and reduce analysis time. It was written in Python and is currently based on a [modified version of VirtualBox hypervisor]( It was thought to be stealthy, adaptive and easy to use. Our presentation will use a practical study case to describe the framework. The chosen case is a well-known one, which is wannacry (not for its technical level but for educational purposes).