We're sorry but this page doesn't work properly without JavaScript enabled. Please enable it to continue.
Feedback

Next Generation Process Emulation with Binee

Formal Metadata

Title
Next Generation Process Emulation with Binee
Title of Series
Number of Parts
335
Author
License
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
Language

Content Metadata

Subject Area
Genre
Abstract
The capability to emulate x86 and other architectures has been around for some time. Malware analysts have several tools readily available in the public domain. However, most of the tools stop short of full emulation, halting or doing strange things when emulating library functions or system calls not implemented in the emulator. In this talk we introduce a new tool into the public domain, Binee, a Windows Process emulator. Binee creates a nearly identical Windows process memory model inside the emulator, including all dynamically loaded libraries and other Windows process structures. Binee mimics much of the OS kernel and outputs a detailed description of all function calls with human readable parameters through the duration of the process. We've designed Binee with two primary use cases in mind; data extraction at scale with a cost and speed similar to common static analysis tools, and second, for malware analysts that need a custom operating system and framework without the overhead of spinning up various configurations of virtual machines. Currently Binee can run on Windows, OS X, and Linux. Kyle Gwinnup Kyle is a Senior Threat Researcher in Carbon Black's TAU team. He has over 10 years of experience in many areas of computer science and IT. Prior to Carbon Black, Kyle worked in finance and with the DoD in various roles ranging from network/systems administrator, software engineer, reverse engineer, penetration tester and offensive tool developer. At Carbon Black, Kyle's focus is on large scale program analysis, primarily static but moving asymptotically toward dynamic analysis. John Holowczak John is a Threat Researcher on Carbon Black's Threat Analysis Unit, focusing on automation of threat detection and building out infrastructure for large scale malware analysis. Within the field of threat detection and analysis, John specializes his research in binary classification, dynamic analysis and reverse engineering.