2025-06-29 –, Grand Salon
In modern computing environments, where memory address space layout randomization (ASLR) is prevalent, identifying the memory location of variables without symbol information remains a significant challenge. Despite this, the ability to locate variables in memory is critical in a range of applications including exploit development, malware-based code and process injection, and memory forensics. Existing approaches are generally categorized into two types: scanning memory for distinctive values, or calculating offsets from known pointers (e.g., obtained through information leakage). However, these approaches have inherent problems. The value-based scanning approaches fail in the absence of distinctive byte patterns, and the offset calculation-based approaches are ineffective when the base pointer or offset information is unavailable.
To overcome these problems, we propose a novel approach that leverages the structural characteristics of objects rather than their values. We suggest that if we can capture structural characteristics of objects, including sizes and offsets of member variables and pointer references among objects, it is possible to locate the object in memory by scanning based on these characteristics. To realize this approach, we have developed two key techniques: a binary analysis technique that reveals structural characteristics of objects by analyzing memory accesses during execution, and a memory analysis technique that locates objects by matching their internal structures and the reference structures among objects. By extracting structural characteristics from the binary in advance and then scanning memory with structural matching at runtime, our techniques enable the identification of the target object and its member variables.
In this presentation, we begin by reviewing relevant applications and the limitations of existing techniques to motivate the need for our research and clarify the challenges. We then detail our binary and memory analysis techniques, and show their effectiveness and applicability through practical live demonstrations and empirical evaluations.
This presentation provides the audience with:
1. A new perspective: objects with identifiable structural characteristics can be located through memory analysis, even without distinctive values or known pointers.
2. A deep understanding of our binary and memory analysis techniques, including their technical details, practical effectiveness, and applicability as demonstrated through evaluation and demonstration.
3. A shared insight into the importance of integrating binary analysis with memory exploration, and its promising direction for the future of reverse engineering techniques.
Finally, we will release our proof-of-concept tool, enabling security researchers to apply our techniques immediately for further research and evaluation.
Toshinori Usui is an associate distinguished researcher and security principal at NTT Social Informatics Laboratories, with 10+ years of experience in binary analysis, malware analysis, and offensive security. Toshinori has presented his research at top-tier hacker and academic conferences such as Black Hat USA, RAID, and ACSAC. He is also a CTF lover focused on reversing and pwn, formerly belonging to Sutegoma2 and binja and currently Team Enu. Toshinori received his Ph.D. in 2021 and has some security certificates, including GREM and GCFE.