An instruction trace is the sequence of instructions executed when running a program. Instruction traces have a large number of applications in malware analysis. Examples of such applications are detection of self-modifying code, automated unpacking, code-similarity analysis, reverse engineering of cryptographic code, vulnerability analysis, etc. It is thus not astonishing that we have recently seen considerable interest in instruction traces in the malware research community. Accordingly, there already exists a range of instruction tracers such as Ether, Temu and Pin. An ideal tracer will be efficient (support analysis of large numbers of malware), transparent (hard to detect and evade), and portable to different versions of the Windows operating system and shall run on virtual and physical machines. None of the current tracers features all of these properties. We have developed a novel tracer dubbed "Helios", which overcomes these limitations. To this end Helios uses several advanced and novel techniques. Our talk will first introduce to the topic of tracing and its applications, followed by a detailed discussion of Helios. In particular, we will demonstrate Joedoc a novel tool for detecting exploits in documents (e.g. PDFs) which is based on instruction traces.
Secdocs is a project aimed to index high-quality IT security and hacking documents. These are fetched from multiple data sources: events, conferences and generally from interwebs.
Serving 8166 documents and 531.0 GB of hacking knowledge, indexed from 2419 authors from 163 security conferences.