Learn, hack!

URL

https://www.hashdays.ch/assets/files/slides/buehlmann_helios_a_fast_portable_and_transparent_instruction_tracer.pdf

File name

buehlmann_helios_a_fast_portable_and_transparent_instruction_tracer.pdf

File size

1.1 MB

MD5

dcac5677895f17b53afb684223445dbc

SHA1

e3cdeaa4cd203157483539eef9ffd33377daf769

An instruction trace is the sequence of instructions executed when running a program. Instruction traces have a large number of applications in malware analysis. Examples of such applications are detection of self-modifying code, automated unpacking, code-similarity analysis, reverse engineering of cryptographic code, vulnerability analysis, etc. It is thus not astonishing that we have recently seen considerable interest in instruction traces in the malware research community. Accordingly, there already exists a range of instruction tracers such as Ether, Temu and Pin. An ideal tracer will be efficient (support analysis of large numbers of malware), transparent (hard to detect and evade), and portable to different versions of the Windows operating system and shall run on virtual and physical machines. None of the current tracers features all of these properties. We have developed a novel tracer dubbed "Helios", which overcomes these limitations. To this end Helios uses several advanced and novel techniques. Our talk will first introduce to the topic of tracing and its applications, followed by a detailed discussion of Helios. In particular, we will demonstrate Joedoc a novel tool for detecting exploits in documents (e.g. PDFs) which is based on instruction traces.