Skip navigation.

Shmoocon 2008: Malware Software Armoring Circumvention Content

We just finished giving our talk at Shmoocon 2008, which is a slight update of our Blackhat 2007 talk. Under great peer pressure we decided to give a live demonstration of Saffron-kernel. It crashed the first time but the second attempt worked well. We unpacked two sets of packers live on stage: TeLock and Vmprotect. Afterwards we were even able to unpack a random binary from the audience. Thanks to the Shmoocon organizers and everyone who got up early to see our talk.

Presentation PDF
Original Saffron DI code This is our material from Blackhat 2007. This is a proof of concept, and not production code.

Shmoocon is a really nice conference. If you get a chance to attend I highly recommend it.


Software armoring techniques have increasingly created problems for reverse engineers and software security analysts. As protections such as packers, run-time obfuscators, virtual machine and debugger detectors become common, newer methods must be developed to cope with them. In this talk we will present our forensically sound debugging platform named Saffron. Saffron is based upon dynamic instrumentation techniques as well as a page fault assisted debugger. We show that the combination of these two techniques is effective in removing armoring from most software armoring systems.