New Reversing and Visualization Tools Released this Summer
A few conference acceptances are in so I can now lift the cone of silence and share some of the research I've been doing.
Lately I've been using Artem Dinaburg and Paul Royal's excellent Ether Malware Analysis system they presented at ACM CCS last year. This is some very good work that allows you to instrument a running binary extremely well. The paper they have written is very good. I've submitted some patches to the project and overall it's in good shape. I'll write up a more detailed post about using the Ether framework later. Those of you that have been using Saffron should check out this system. Even though it requires dedicated hardware it's a much more robust system.
Using Ether I've been working on my visualization tool for better dynamic and static analysis integration. I call it VERA: Visualizing Execution for Reversing and Analysis. Using the dynamic trace data and unpacking capabilities of Ether, VERA helps you to better unpack unknown binaries, reduce the reversing time, and generally make the whole process easier. I've shown it to a pretty limited set of people, mainly the students in my Reverse Engineering courses, and it seems to be reasonably well received.
I will be talking about VERA at some conferences and workshops this summer and fall. The first is the Blackhat USA Briefings 2009 and Defcon 17. This talk will show how to integrate the reversing process into using Ether and also demonstrating VERA. I'll be giving a live demo and release the tool here.
A more formal treatment will be at the Workshop on Visualization and Security 2009 (VizSec). This paper will outline the nitty-gritty details of the Reverse Engineering process and how VERA fits into it.
I hope to see you this summer. Several former OC members will be giving talks too so it should be a worthwhile experience.