Tweet
Title: (Advanced) Reversing with Dynamic Data Resolver (DDR) – Best practice
Description:
DDR is an IDA plugin that instruments binaries using the DynamoRIO framework. In this presentation we will show you best practices how to reverse engineer malware with DDR. The talk will discuss the internals of DDR and show you by demonstration, the advantages of the tool.
The DDR plugin can easily resolve the majority of dynamic values for registers and memory locations which are usually missed in a static analysis. It can help to find jump locations such as “call eax” or interesting strings such as “PE” which are decoded at runtime. The tool can be used to dump interesting buffers, and gives the opportunity to patch the binary at runtime to bypass anti-analysis techniques.
In this presentation we will show you best practices for working with this tool, and the many ways in which it can facilitate malware analysis. More details and features can be found here: https://blog.talosintelligence.com/2...olver-1-0.html
Speaker(s): Holger Unterbrink
Location: Blue Team Vlg / Blue Team Vlg - Talks Track 1
Discord: https://discord.com/channels/7082082...54317658734613
Event starts: 2020-08-08 09:00 (09:00 AM) PDT (UTC -07:00)
Event ends: 2020-08-08 10:00 (10:00 AM) PDT (UTC -07:00)
For the most up-to-date information, please either visit https://info.defcon.org, or use HackerTracker, which is available for iOS and Android. This is an automated message, and this data was last modified 2020-08-06T21:48 (UTC).
Description:
DDR is an IDA plugin that instruments binaries using the DynamoRIO framework. In this presentation we will show you best practices how to reverse engineer malware with DDR. The talk will discuss the internals of DDR and show you by demonstration, the advantages of the tool.
The DDR plugin can easily resolve the majority of dynamic values for registers and memory locations which are usually missed in a static analysis. It can help to find jump locations such as “call eax” or interesting strings such as “PE” which are decoded at runtime. The tool can be used to dump interesting buffers, and gives the opportunity to patch the binary at runtime to bypass anti-analysis techniques.
In this presentation we will show you best practices for working with this tool, and the many ways in which it can facilitate malware analysis. More details and features can be found here: https://blog.talosintelligence.com/2...olver-1-0.html
Speaker(s): Holger Unterbrink
Location: Blue Team Vlg / Blue Team Vlg - Talks Track 1
Discord: https://discord.com/channels/7082082...54317658734613
Event starts: 2020-08-08 09:00 (09:00 AM) PDT (UTC -07:00)
Event ends: 2020-08-08 10:00 (10:00 AM) PDT (UTC -07:00)
For the most up-to-date information, please either visit https://info.defcon.org, or use HackerTracker, which is available for iOS and Android. This is an automated message, and this data was last modified 2020-08-06T21:48 (UTC).