2025-06-27 –, Grand Salon
Once confined to advanced malware, modern software protections—such as anti-debugging routines, anti-tamper mechanisms, and aggressive obfuscation—are now commonplace in commercial DRM and even in standard malware by using commercial protectors. These defenses significantly hinder traditional static analysis and debugger-based approaches, often concealing critical behavioral logic deep within runtime layers.
Dynamic Binary Instrumentation (DBI) offers a compelling alternative by enabling real-time observation and manipulation of program execution. Unlike static techniques, DBI frameworks can bypass or neutralize many anti-analysis tricks by instrumenting instructions at runtime, providing unmatched visibility into program behavior and bypass some of the anti-analyzing techniques.
This talk opens with a focused introduction to DBI concepts, exploring its architectural model, strengths, and where it best complements reverse-engineering workflows. We’ll then dive into DynamoRIO, a powerful open-source DBI framework supporting IA-32, AMD64, ARM, and AArch64 on Windows, Linux, and Android. Through practical examples, we’ll demonstrate how to develop a custom tracer and dumper capable of:
- Capturing instruction-level execution (code trace)
- Inspecting memory-resident objects and runtime data
- Dumping unpacked code segments for offline analysis
Attendees will gain hands-on insights into dealing with real-world complexities like multithreaded execution, process spawning, and anti-debugging countermeasures. We’ll also show how to feed collected runtime data back into tools like IDA Pro to enrich static analysis with dynamic context.
This talk is a hands-on, experience-driven walkthrough by someone who has spent over seven years building tools with DynamoRIO—including the now-archived DDR tool, which won the IDA Plugin Contest in 2020. Attendees will learn how to develop a DynamoRIO client from scratch.
The session concludes with the public release of a DynamoRIO-based tracer, giving participants a practical foundation and template for integrating DBI into their own analysis pipelines.
Talk Outline
- Introduction to DBI concepts
- DBI in malware analysis
- Intro to DynamoRIO and its position in Dynamic Binary Instrumentation (DBI)
- Architecture and execution model
- Building a minimal but extensible client
- Instruction-level tracing and manipulation
- Runtime memory inspection and string/object extraction
- Dumping memory and reconstructing PE files
- Running your client against real-world malware
- Enrich IDA IDB with DBI collected information
- Tips for extending your tool further
- Where to find help for own projects
Holger is a longtime security enthusiast, with more than 25 years of experience in the information security industry. He started his career as a penetration tester and is now working for Cisco Talos as technical leader in the malware and threat hunting sector. He finds new, cutting-edge security threats and analyzes their components. Holger gave talks at international security conferences such as Recon, BlackHat, HackInTheBox, ISC, NorthSec, CiscoLive and others. He is also the author of several offensive and defensive security tools and won the IDA plugin contest with his Dynamic Data Resolver (DDR) IDA plugin in 2020. Recently, he did extensive research on reversing Nim binaries (Recon talk 2023) and VMProtect (Recon talk 2024).