Tricky sample? Hack it easy! Applying dynamic binary instrumentation to lightweight malware behaviour analysis

Thursday 4 October 09:00 - 09:30, Red room

Maksim Shudrak (Salesforce)

Dynamic binary instrumentation (DBI) is a technique for analysing the behaviour of a binary application at runtime through the injection of instrumentation code. This instrumentation code is designed to be transparent towards the instrumented application and it executes as a part of the normal execution flow without significant runtime overhead. Moreover, there are no limitations for the instrumentation code - a user can implement even a complex logic to observe execution flow, memory layout, etc. Certainly, such a flexible and powerful technique can and should be used for malware analysis. However, while there are several open-source tools (PoCs) implemented on top of DBI frameworks, their application for malware analysis is very limited.

In the talk the author will discuss the pros and cons of malicious code instrumentation and his experience of how DBI can be used to perform investigation of sophisticated banking trojans such as Gootkit and EmbusteBot as well as dozens of other malicious samples in practice.

Moreover, the author will release a new tool for transparent and lightweight dynamic malware analysis and will demonstrate, using examples, how this tool can help researchers to easily reveal important behaviour details of sophisticated malicious samples. EmbusteBot (a new banking trojan from Brazil found and reported by the author in 2017) was investigated using only this tool without even starting a debugger or disassembler.

Other VB2018 papers


Masashi Nishihata (Citizen Lab)
John Scott Railton (Citizen Lab)

Who wasn’t responsible for Olympic Destroyer?

Paul Rascagneres (Cisco Talos)
Warren Mercer (Cisco Talos)

Little Brother is watching - we know all your secrets!

Siegfried Rasthofer (Fraunhofer SIT)
Stephan Huber (Fraunhofer SIT)
Steven Arzt (Fraunhofer SIT)