Learn, hack!

URL

http://recon.cx/2010/slides/recon-dirtbox.pdf

File name

recon-dirtbox.pdf

File size

1001.6 KB

MD5

0ddf5b082df1f561c2f5dc7040575374

SHA1

003d4d5b9a94c80cfbc73e1612ac02bcd46960f7

dirtbox is an attempt to implement a highly scalable x86/Windows emulator that can be both used for simple malware detection and detailed behavior analysis reports. Instead of emulating every single x86 instruction in software, malware instructions are executed directly on the host CPU in a per basic block fashion. A disassembling run on each basic block ensures that no privileged or control flow subverting instructions are executed. The notion of virtual memory that is separated from the emulators memory is employed by special LDT segments and switching segment selectors before executing guest instructions. The operating system is emulated at the syscall layer. While this layer is mostly undocumented and implementing it in an accurate fashion is a challenging task on its own, the fact that no register changes are leaked from Ring 0 thwarts a lot of detection techniques. For usage of the high-level APIs, corresponding libraries are directly mapped into the virtual memory as well. Detection mechanisms such as: - Examination of the ecx register after a SEH protected API call - Stolen bytes from an API library implementation - Direct reads and writes from PEB or other static locations or libraries are supported automatically