Blue Team Village - Reversing with Dynamic Data Resolver (DDR)

Zitieren

Zugehöriges Material

DEF CON

Unterbrink, Holger

Formale Metadaten

Titel

Blue Team Village - Reversing with Dynamic Data Resolver (DDR)

Untertitel

Best Practice

Serientitel

DEF CON Safe Mode

Anzahl der Teile

374

Autor

Unterbrink, Holger

Lizenz

CC-Namensnennung 3.0 Unported:
Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen.

Identifikatoren

10.5446/49812 (DOI)

Herausgeber

DEF CON

Erscheinungsjahr

2020

Sprache

Englisch

Inhaltliche Metadaten

Fachgebiet

Informatik

Genre

Konferenz/Talk

Abstract

DDR is an IDA plugin that instruments binaries using the DynamoRIO framework. In this presentation we will show you best practices how to reverse engineer malware with DDR. The talk will discuss the internals of DDR and show you by demonstration, the advantages of the tool. The DDR plugin can easily resolve the majority of dynamic values for registers and memory locations which are usually missed in a static analysis. It can help to find jump locations such as “call eax” or interesting strings such as “PE” which are decoded at runtime. The tool can be used to dump interesting buffers, and gives the opportunity to patch the binary at runtime to bypass anti-analysis techniques. In this presentation we will show you best practices for working with this tool, and the many ways in which it can facilitate malware analysis.