Thursday 25 September 14:00 - 14:30, Green room.
Hexiang Hu Microsoft
Steven Zhou Microsoft
Geoff McDonald Microsoft
download slides (PDF)
Microsoft .NET Framework-built applications compile into a Common Intermediate Language (CIL), formerly known as Microsoft Intermediate Language (MSIL). When executed, this intermediate language is run by either a virtual machine, or through just-in-time compilation (JIT) to compile into native code at runtime. This approach provides many advantages to developers, such as a single binary being able to execute on multiple platforms and CPU architectures, but has been proving a technical challenge for anti-malware software and researchers since many traditional analysis tools no longer apply.
Recently, we've been wrestling with more malware families that are developed using the .NET framework. These malware families are often using a variety of custom and commercial .NET packers that obfuscate and pack the code, resulting in code analysis for anti-malware researchers becoming more difficult.
To solve this problem, this presentation introduces a .NET malware research tool to assist in automated and researcher analysis of .NET malware. This tool performs dynamic instrumentation of .NET malware to analyse the functions that are called, as well as the corresponding CIL code to be compiled. This presentation will cover the following topics:
Hexiang Hu is a computer science student from Zhejiang University and recently transferred to Simon Fraser University. He worked at Microsoft Malware Protection Center as an anti-virus researcher intern in the summer. He is interested in and passionate about machine learning, reverse engineering and malware research.
Steven Zhou is an anti-virus researcher with Microsoft Malware Protection Center out of Vancouver, Canada. He has been working in the IT security field for more than 10 years, and has a particular interest in fighting MSIL-based malware. In his spare time, he loves hiking and spending time with his family.
Geoff is an anti-virus researcher working in the Microsoft Malware Protection Center with most of his experience in reverse engineering malware and related vulnerabilities. As a hobby, Geoff can often be found developing reverse-engineering and vulnerability fuzzing tools - some of which can be found on his personal website http://www.split-code.com/.