Learn, hack!

Hacking and security documentation: slides, papers, video and audio recordings. All in high-quality, daily updated, avoiding security crap documents. Spreading hacking knowledge, for free, enjoy. Follow on .

dirtbox, a highly scalable x86/Windows Emulator

Type
Slides
Tags
emulation
Authors
Georg Wicherski
Event
REcon 2010
Indexed on
Aug 08, 2014
URL
http://recon.cx/2010/slides/recon-dirtbox.pdf
File name
recon-dirtbox.pdf
File size
1001.6 KB
MD5
0ddf5b082df1f561c2f5dc7040575374
SHA1
003d4d5b9a94c80cfbc73e1612ac02bcd46960f7

dirtbox is an attempt to implement a highly scalable x86/Windows emulator that can be both used for simple malware detection and detailed behavior analysis reports. Instead of emulating every single x86 instruction in software, malware instructions are executed directly on the host CPU in a per basic block fashion. A disassembling run on each basic block ensures that no privileged or control flow subverting instructions are executed. The notion of virtual memory that is separated from the emulators memory is employed by special LDT segments and switching segment selectors before executing guest instructions. The operating system is emulated at the syscall layer. While this layer is mostly undocumented and implementing it in an accurate fashion is a challenging task on its own, the fact that no register changes are leaked from Ring 0 thwarts a lot of detection techniques. For usage of the high-level APIs, corresponding libraries are directly mapped into the virtual memory as well. Detection mechanisms such as: - Examination of the ecx register after a SEH protected API call - Stolen bytes from an API library implementation - Direct reads and writes from PEB or other static locations or libraries are supported automatically

About us

Secdocs is a project aimed to index high-quality IT security and hacking documents. These are fetched from multiple data sources: events, conferences and generally from interwebs.

Statistics

Serving 8166 documents and 531.0 GB of hacking knowledge, indexed from 2419 authors from 163 security conferences.

Contribute

To support this site and keep it alive, you can click on the buttons below. Any help is really appreciated! This service is provided for free, but real money is needed to pay bills.

Flattr this Click here to lend your support to: Keep live SecDocs for an year and make a donation at www.pledgie.com !

© 2007-2022 Alessandro Tanasi (@jekil)
To report bugs or suggest features write to .