Blackhat USA 2009: Reverse Engineering by Crayon
My Blackhat talk is over and I think things went really well. As promised here is the latest information on the slides. To be able to use VERA you will need to follow the installation instructions from the Ether project. Thanks again to everyone who attended and thank you for all the great questions.
If you're going to try and use Ether (which you definitely should) make sure you run Debian Sarge (or Etch or Lenny) with a 64-bit installation. From there the installation instructions from the Ether site should be all you need.
Read more for usage instructions.
To use the Vera code, you'll need to execute Ether with the instrtrace option and the binary you want to analyze. To do that, simply start your Xen Windows image.
xm create /etc/xen/your-windows-config.cfg
Once it is completely booted, copy your file on the system. From there you will need to start ether. The command-line to use is:
./ether ID_GOES_HERE instrtrace file-to-analyze.exe > file-to-analyze.trace
Start the executable on the virtual machine. Let it run for a little while and then kill the process inside of your virtual machine. Once that is done, copy the .trace file to your windows box.
The next step will be to run gengraph.exe on the resulting file. You will need the tracefile and the original executable in order to properly parse it.
gengraph.exe file-to-analyze.trace file-to-analyze.exe file-to-analyze.gml
This will generate two files: all-file-to-analyze.gml and bbl-file-to-analyze.gml. Now it's time to use the VERA program. You can simply open the GML files and begin exploring the file.
I hope you find it useful. If you run into problems please feel free to email me. dquistoffensivecomputing(DoOT)net.