Blue Team Village - Reversing with Dynamic Data Resolver (DDR)

Cite

Related Material

DEF CON

Unterbrink, Holger

Formal Metadata

Title

Blue Team Village - Reversing with Dynamic Data Resolver (DDR)

Subtitle

Best Practice

Title of Series

DEF CON Safe Mode

Number of Parts

374

Author

Unterbrink, Holger

License

CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.

Identifiers

10.5446/49812 (DOI)

Publisher

DEF CON

Release Date

2020

Language

English

Content Metadata

Subject Area

Computer Science

Genre

Conference/Talk

Abstract

DDR is an IDA plugin that instruments binaries using the DynamoRIO framework. In this presentation we will show you best practices how to reverse engineer malware with DDR. The talk will discuss the internals of DDR and show you by demonstration, the advantages of the tool. The DDR plugin can easily resolve the majority of dynamic values for registers and memory locations which are usually missed in a static analysis. It can help to find jump locations such as “call eax” or interesting strings such as “PE” which are decoded at runtime. The tool can be used to dump interesting buffers, and gives the opportunity to patch the binary at runtime to bypass anti-analysis techniques. In this presentation we will show you best practices for working with this tool, and the many ways in which it can facilitate malware analysis.