Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Binary Instrumentation for Malware Analysis

Thomas Roccia
February 24, 2023

Binary Instrumentation for Malware Analysis

Analysing malware can be a complex and tedious task to understand deeper how it works. Malware can use anti-analysis techniques such as obfuscation or packing than can significantly increase the analysis time.

Binary instrumentation is the process of adding new instructions into a program or modifying existing code of a program. This concept can be applied to malware analysis to speed up the analysis process and retrieving internal data without spending too much time debugging binaries. Additionally, you can integrate binary instrumentation into your own tools to enhance your malware analysis arsenal.

This presentation will explore the concept of binary instrumentation as it can be applied to malware analysis. We'll look at some of the most popular tools like Frida and show you how to use them to extract information and defeat anti-analysis techniques.

Thomas Roccia

February 24, 2023

More Decks by Thomas Roccia

Other Decks in Technology


  1. WHAT IS BINARY INSTRUMENTATION? It modifies program behavior during execution

    by altering machine code. Involves adding code to the program to track, monitor or manipulate behavior. Used in software dev, security, performance analysis and other fields. Static and dynamic binary instrumentation Can be used for debugging, vulnerability research or malware analysis. Allows deeper insights into software behavior and effective issue resolution.
  2. Malware are often obfuscated or packed and used different mechanisms.

    It can be tricky and time consuming to reverse the whole binary. Isolate and analyse specific parts of the malware's behavior. HOW IT CAN BE USED FOR MALWARE ANALYSIS?
  3. FRIDA API HOOKING Trampoline-based hooks modify function call flow by

    inserting a jump instruction at the beginning of the targeted function. This jump redirects control to a function under our control, and once our function executes, the trampoline ensures that the original function's execution continues. Source: https://learnfrida.info/
  4. INTERCEPTOR API The "onEnter" function allows the viewing and modification

    of function arguments and memory sections before execution. The "onLeave" function allows the viewing and modification of return values and modified function arguments and memory sections after execution.
  5. GetProcAddress is used to get the memory address of a

    function in a DLL. Used by malware for obfuscation and evasion to avoid having to call the function directly. UNCOVERING OBFUSCATED API CALL Source: https://learn.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-getprocaddress
  6. UNPACKING VirtualAlloc reserves, commits, or modifies a region of pages

    in the calling process's virtual address space. VirtualProtect changes the protection of a region of committed pages in the calling process's virtual address space. Malware often uses VirtualAlloc in conjunction with VirtualProtect to change the permission of allocated memory to read-write-execute.
  7. WSCRIPT.EXE SHELL32.DLL ShellExecuteExW WS-32.DLL WSASocketW GetAddrInfoExW WSASend WSAAddressToStringW WSAStartup MALICIOUS

    SCRIPT ANALYSIS VBS/JS Source: OALabs https://www.youtube.com/watch?v=uqhBsWXUw7Q
  8. WRAP-UP To gain a deeper understanding, I encourage you to

    explore further on your own. Reverse engineering and malware analysis are complex processes with no single approach. Binary instrumentation is a powerful method to automate analysis and tool development, but it requires a foundation in malware analysis and OS internals. While we have only scratched the surface, binary instrumentation can be used for other goals such as taint analysis or symbolic execution.