Recon 2024

Alan Sguigna

Although he does have a day job, Alan Sguigna has been moonlighting for 10+ years doing JTAG debug of UEFI targets. Having tired of that, he convinced a bunch of developers to enhance their existing UEFI tools to debug the Windows kernel as well, including Hyper-V and VBS-enabled targets.
Author of The MinnowBoard Chronicles and a prolific blogger on technical topics, Alan enjoys simplifying complex topics, and making knowledge accessible to all.

  • JTAG debug of Windows Hyper-V / Secure Kernel with WinDbg and DCI/EXDI
  • Workshop for JTAG debug of Windows Hyper-V / Secure Kernel with WinDbg and DCI/EXDI
Alessandro Di Federico

One day while playing a CTF I thought "hey, this decompiler could be done better".

I like C++, LLVM, binaries, Free Software and privacy.

During my dark academia years I presented at USENIX, DEF CON and several other compilers/computer security conferences.

I'm the co-founder of rev.ng Labs, the company developing the rev.ng decompiler.
My activities include overseeing the overall design and maintaining the first half of the decompilation pipeline.

  • Path of rev.ng-ance: from raw bytes to CodeQL on decompiled code
Andrea Allievi

Andrea Allievi is a system-level developer and security research engineer with more than 18 years of experience. He graduated from the University of Milano-Bicocca in 2010 with a bachelor’s degree in computer science. For his thesis, he developed a Master Boot Record (MBR) Bootkit entirely in 64-bits, capable of defeating all the Windows 7 kernel-protections (PatchGuard and Driver Signing enforcement). Andrea is also a reverse engineer who specializes in operating systems internals, from kernel-level code all the way to user-mode code. He was the original designer of the first UEFI Bootkit (developed for research purposes and published in 2012), multiple PatchGuard bypasses, and many other research papers and articles. He is the author of multiple system tools and software used for removing malware and advanced persistent threads. In his career, he has worked in various computer security companies—Italian TgSoft, Saferbytes (now MalwareBytes), and Talos group of Cisco Systems Inc. He originally joined Microsoft in 2016 as a Security Research Engineer in the Microsoft Threat Intelligence Center (MSTIC) group. Since January 2018, Andrea has been a Principal Core OS engineer in the Kernel Security Core team of Microsoft, where he mainly maintains and develops new features (like Retpoline, Speculation Mitigations, Function Overrides, ARM64 Import Optimization, Trusted Apps and many more...) for the NT and Secure Kernel. He is one of the main author of the Windows Internals book.

Andrea continues to be active in the security research community, authoring technical articles on new kernel features of Windows in the Microsoft Windows Internals blog, and speaking at multiple technical conferences, such as Recon and Microsoft BlueHat.

  • Hypervisor-enforced Paging Translation - The end of non data-driven Kernel Exploits?
Antonio Villani

Dr. Antonio Villani is the Co-Founder of RETooling. He is working full-time on the development of red-team and adversary emulation capabilities for his company. Previously he spent most of his time in the blueteam, reversing high level implants for top tier customers and providing detailed information to support cyber-defense and cyber threat intelligence teams. Now he analyzes complex implants to gain a deep understanding of the TTPs used by threat actors and to provide a high-quality reimplementation of them. As a researcher he published in top tier conferences and journals, and he participated in European research projects in the field of cyber resilience and data security. During his PhD he worked in the field of malware research and digital forensics.

  • An unexpected journey into Microsoft Defender's signature World.
Bálint Varga-Perke

Bálint Varga-Perke is a founder of Silent Signal where he serves as an IT security expert. Since 2010 he's been performing penetration tests in over a dozen countries for major companies from sectors including finance, healthcare and government. His research focuses on reverse engineering and finding vulnerabilities in widely used software, with a compulsive focus on security products. He is a contributor of the latest CIS Benchmark for IBM i, and works on documenting the security features of the platform at RISC-level.

  • Control Flow Intergrity on IBM i
Caleb Davis

Caleb Davis is a founding member of the Cybersecurity organization, SolaSec. Caleb operates out of the Dallas/Fort Worth area and has a degree in Electrical Engineering from the University of Texas at Tyler. He is an inventor/patent holder and has a background in embedded hardware/software development. He leads a team of experts that regularly perform penetration testing across a wide variety of products including medical devices, ATMs, chemical control systems, security solutions, and other commercial products. Additionally, Caleb has a passion for integrating security into the product development life cycle and has helped several organizations in their approach to shifting left.

  • Bare Metal Firmware Dev: Forwards and Backwards
Chris Alladoum

Chris is a security researcher currently working in Vancouver, Canada, who brings his reversing and exploitation expertise to enhance EDR features by day, and hacks his own tools at night. He is passionate about everything low-level, and cultivates an addiction around debuggers.

  • Tips & Tricks for better debugging with WinDbg
Chris Bellows

Chris is a Research Science Director at Atredis Partners leading and executing highly technical embedded, network, application, and red team assessments, as well as complex reverse engineering and exploit development projects.

  • DaBootZone: Breaking the DA1469x BootROM
Chris Wysopal
  • Decompilation Panel
Cindy Xiao

Cindy Xiao is a security researcher who works primarily on malware reverse engineering, in support of cyber threat intelligence reporting. Cindy enjoys learning from other security practitioners (both offensive and defensive), developing tools to help with analysis, and mentoring others.

  • Reversing Rust Binaries: One step beyond strings (workshop)
Cristina Cifuentes

As Vice President of Oracle's Software Assurance organisation, I lead a team of world-class security researchers and engineers whose passion lies in solving the big issues in Software Assurance. Our mission is to make application security and software assurance, at scale, a reality. We enjoy working with today's complex enterprise systems composed of millions of lines of code, variety of languages, established and new technologies, to detect vulnerabilities and attack vectors before others do. Automation is important, so are security assessments.

Cristina was the founding Director of Oracle Labs Australia in 2010, a team she led for close to 12 years. As Director of Oracle Labs Australia, I led a team of world-class Researchers and Engineers whose passion lies in solving the big issues in Program Analysis. Our team specialises in software vulnerability detection and developer productivity enhancement – in the context of real-world, commercial applications that contain millions of lines of code. My team successfully released Oracle Parfait, a static analysis tool used by thousands of C/C++/Java developers each day. Our inventions have resulted in dozens of US patents at Oracle and Sun Microsystems, and our impact on program analysis is well known through our active participation and publication record.

Cristina’s passion for tackling the big issues in the field of Program Analysis began with her doctoral work in binary decompilation at the Queensland University of Technology, which led to her being named the Mother of Decompilation for her contributions to this domain. In an interview with Richard Morris for Geek of the Week, Cristina talks about Parfait, Walkabout and her career journey in this field.

Before she joined Oracle and Sun Microsystems, Cristina held academic posts at major Australian Universities, co-edited Going Digital, a landmark book on Cybersecurity, and served on the executive committees of ACM SIGPLAN and IEEE Reverse Engineering.

Cristina continues to play an active role in the international programming language and software security communities. Where possible, she channels her interests into mentoring young programmers through the CoderDojo network and mentoring women in STEM.

  • From Student of Compilation to Mother of Decompilation -- 30 Years Edition
  • Decompilation Panel
Davide Fontana

Davide Fontana is a Master's degree student in Cybersecurity at the University of Sapienza in Rome, currently writing his final thesis, with a passion for reverse engineering and malware analysis. He holds a bachelor's degree in Information Technology from the University of L'Aquila, Italy.

  • An unexpected journey into Microsoft Defender's signature World.
Elias Bachaalany

Elias is a programmer at heart and a passionate reverse engineer with focus on Windows OS and the x86 architecture. Elias loves writing and teaching and is a big fan of IDA Pro and loves sharing his knowledge about that product (he runs the AllThingsIDA YouTube channel).

  • A Tale of Reverse Engineering 1001 GPTs: The Good, the Bad, and the Ugly
Erik Egsgard

Erik is a Principal Security Developer with Field Effect. With almost 20 years experience in the computer security field he has found vulnerabilities across a wide range of software and operating systems including Windows, MacOS, iOS and Android.

  • Tales From The Crypt: Bug Hunting in the Windows CryptoAPI
Erwan Grelet

Erwan Grelet is a security researcher currently working at Ubisoft in the Game Security team. He spent several years working as a low-level software engineer before that.
He is particularly interested in software reverse engineering, vulnerability research and software obfuscation.

  • Seeing Through Themida's Code Mutation
Gabi Cirlig

Gabriel Cirlig is Principal Security Researcher at HUMAN Security. A software developer-turned-rogue, Gabriel is the go-to expert for any mobile reverse engineering within HUMAN’s Satori Threat Intelligence and Research team. He went from developing apps for small businesses to 2M+ DAU Facebook games while keeping an eye open for new opportunities. In the past few years, Gabriel has shifted gears and started his career as a security researcher while speaking at various conferences showcasing what he’s hacked. With a background in electronics engineering and various programming languages, he likes to dismantle and (hopefully) put back whatever he gets his hands on.

  • Guerilla Reversing: SMALI steps towards Android reversing
Gabriel Landau

Gabriel Landau is a principal at Elastic Security. His research focuses on attack and defense of AV, EDR, and the Windows kernel. He has presented research at Black Hat USA, ShmooCon, and Black Hat Asia. His non-public work includes endpoint protections, exploit mitigation, and malware reversing. Though he mostly wears blue these days, his heart will always be red.

  • Smoke and Mirrors: Driver Signatures Are Optional
Gijs Rijnders

Gijs is a cyber threat intelligence analyst and malware reverse engineer at the Dutch National Police where he defends the Police organization from cyber attacks. He previously worked at the CERT of Tesorion, a Dutch cyber security company where he reverse engineered various ransomware families and published decryption tools to the NoMoreRansom initiative to help victims recover from attacks.

  • Cryptography is hard: Breaking the DoNex ransomware
Holger Unterbrink

Holger is a longtime security enthusiast, with more than 25 years of experience in the information security industry. He started his career as a penetration tester and is now working for Cisco Talos as technical leader in the malware and threat hunting sector. He finds new, cutting-edge security threats and analyzes their components. Holger gave talks at international security conferences such as Recon, BlackHat, HackInTheBox, ISC, NorthSec, CiscoLive and others. He is also the author of several offensive and defensive security tools and won the IDA plugin contest with his Dynamic Data Resolver (DDR) IDA plugin in 2020. Recently, he did extensive research on reversing Nim binaries (Recon talk 2023).

  • Architecture Analysis of VMProtect 3.8: Demystifying the Complexity
Ilfak Guilfanov
  • Decompilation Panel
Ivan Rouzanov

Ivan Rouzanov is a seasoned software engineer with over three decades of experience, focusing on debugging software within the Windows environment. Throughout his career, he has had the privilege of contributing his expertise to esteemed tech companies such as Microsoft, CrowdStrike, and Intel. With a genuine passion for untangling the intricate web of software bugs, Ivan has debugged and resolved numerous issues, amassing a wealth of experience along the way. He is dedicated to continuous learning and improvement, and firmly believes in sharing knowledge!

  • JTAG debug of Windows Hyper-V / Secure Kernel with WinDbg and DCI/EXDI
James Chambers

James Chambers is a Senior Security Consultant in the NCC Group Hardware & Embedded Systems security practice. He enjoys reverse engineering video games to find opportunities for creative code execution, as well as resurrecting lost features. His past projects include reverse engineering Animal Crossing to discover an unused NES ROM loading feature that could also be used to patch code in memory, fuzzing GameCube games in emulation using Dolphin, and programming a Proxmark to fuzz Amiibo data over NFC.

  • Reverse Engineering the PowerG Wireless Protocol
Joshua Reynolds

Joshua Reynolds is the founder of Invoke RE. Joshua has over ten years of reverse engineering, malware analysis and security experience working for industry leading companies. He has spoken at major conferences such as RSA, DEF CON and Virus Bulletin on topics including ransomware and malicious document analysis. He is also the co-author of a malware analysis course that is taught annually at an academic institution.

  • Automating Malware Deobfuscation with Binary Ninja
Juan Andres Guerrero-Saade

Juan Andrés Guerrero-Saade (better known as 'JAGS') is AVP of Research at SentinelOne and Distinguished Resident Fellow for Threat Intelligence at the Johns Hopkins SAIS Alperovitch Institute for Cybersecurity Studies. He was Google Chronicle’s Research Tsar, co-founder of Stairwell, and a Principal Security Researcher at GReAT focusing on targeted attacks. Prior to that, JAGS worked as Senior Cybersecurity and National Security Advisor to the Government of Ecuador. He’s currently co-authoring a book on Hacking Team with Lorenzo Franceschi-Bicchierai for Union Square & Co. His joint work on Moonlight Maze is now featured in the International Spy Museum's permanent exhibit in Washington, DC.

  • Project 0xA11C: Deoxidizing the Rust Malware Ecosystem
Kyle Shockley

Kyle Shockley is one of the founding members of SolaSec. He received a B.S. in Finance and International Business, as well as an M.S. in Information Systems from Indiana University. Kyle has delivered high-value information technology solutions for over 12 years to clients in multiple industries. With experience in a variety of projects, Kyle has developed vulnerability management programs, executed advanced adversarial attack simulations, and built IT strategic roadmaps for clients around the world.
Caleb Davis is a founding member of the Cybersecurity organization, SolaSec. Caleb operates out of the Dallas/Fort Worth area and has a degree in Electrical Engineering from the University of Texas at Tyler. He is an inventor/patent holder and has a background in embedded hardware/software development. He leads a team of experts that regularly perform penetration testing across a wide variety of products including medical devices, ATMs, chemical control systems, security solutions, and other commercial products. Additionally, Caleb has a passion for integrating security into the product development life cycle and has helped several organizations in their approach to shifting left.

  • Bare Metal Firmware Dev: Forwards and Backwards
Laurie Kirk

Laurie Kirk is a Reverse Engineer specializing in cross-platform malware analysis with a focus on mobile threats. She also runs a YouTube channel (@LaurieWired) that covers all sorts of in-depth Malware Analysis, Reverse-Engineering, Exploitation, and security topics. She has spoken at multiple conferences including DEFCON, TROOPERS23, Objective by the Sea, KernelCon, BlueHat, and BSides Seattle.

  • Manipulating Malware: Forcing Android Malware to Self-Unpack
Lindsay Kaye

Lindsay Kaye is the Vice President of Threat Intelligence at HUMAN Security. Her technical specialty spans the fields of malware analysis and reverse engineering, with a keen interest in dissecting custom cryptographic systems. Lindsay is an internationally-recognized cybersecurity speaker and author. Lindsay holds a BS in Engineering with a Concentration in Computing from Olin College of Engineering and an MBA from Babson College.

  • Guerilla Reversing: SMALI steps towards Android reversing
Lucas GEORGES

Sharing the same curse as Ian Beer, people thinks that Lucas GEORGES is not a real person. Or more precisely that a real person is behind this pseudonym. Honestly, what kind of parents would name their children after a world famous director ?

Well, my parents did that. To their defense I don't think they have seen any movie directed by my illustrious homonym.

Apart from that Lucas GEORGES is a veteran reverse engineer with 10 years of work under his belt. He used to be particularly competent on Windows security but as the world is trying to step away from Microsoft prying hands, Lucas tries to do it too.

  • Open Sesame: stack smashing your way into opening doors.
Luke McLaren

Mobile reverse engineer operating under @datalocaltmp. Currently operating my blog at https://datalocaltmp.com and previously maintained https://theappanalyst.com.

Claimed bounties with Ring, Match.com, Biden Campaign, Bird Scooters, and many others; always looking for that next bug.

  • Mobile Visualization for Reverse Engineering & Debugging
Mateusz Jurczyk

Mateusz works as a security researcher in the Google Project Zero team. His main areas of interest are client software security, vulnerability exploitation and mitigation techniques, and delving deep into operating system internals with a special emphasis on Microsoft Windows. He has spoken at numerous security conferences including Black Hat, REcon, Infiltrate, PacSec and 44CON.

  • Peeling Back the Windows Registry Layers: A Bug Hunter's Expedition
Moritz Schloegel

Moritz Schloegel is a binary security researcher at the CISPA Helmholtz Center for Information Security. He is currently in the last year of his PhD and focuses on automated finding, understanding, and exploitation of bugs. Furthermore, he possesses a deep passion for exploring the complexities of (de-)obfuscation, emphasizing automated deobfuscation attacks and their countermeasures.

  • Unleashing AI: The Future of Reverse Engineering with Large Language Models
netspooky

Netspooky is a security researcher. He is the founder and organizer of the Binary Golf Grand Prix, cofounder/editor/art director of Linux VX zine tmp.0ut, and was the art director for ThugCrowd. His research background includes protocol reverse engineering, file format hacking, industrial control systems, firmware dev, and embedded device security. His work has appeared in tmp.0ut, BGGP, PoC||GTFO, VX Underground, Defcon and others.

  • Binary Golfing UEFI Applications
Nicole Fishbein

Nicole Fishbein is a security researcher and malware analyst. Prior to Intezer she was an embedded researcher in the Israel Defense Forces (IDF) Intelligence Corps. Nicole has been part of research that led to discovery of previously unseen APT malware and novel attacks on Linux-based cloud environments. Her current research focuses on the use of non-standard languages like .NET, Go, and Rust by advanced threat actors.

  • Project 0xA11C: Deoxidizing the Rust Malware Ecosystem
Nika Korchok Wakulich

Nika Korchok Wakulich (aka ic3qu33n) is a hacker/reverse engineer/artist based in Brooklyn, NY. She is a Security Consultant at Leviathan Security Group where she works on a range of penetration testing engagements, with a focus on hardware, firmware and embedded security. Outside of work, she combines her artistic practice (woodcut prints, painting, drawing, etc.) with her independent security research on passion projects in different areas of security.

She has presented her security research at a number of InfoSec conferences including REcon, OffensiveCon, Hushcon, and BSides SF. She is a contributing writing for a number of hacker zines, including tmp.0ut and VX-Underground Black Mass.

When she isn't making art, reverse engineering or making art as a part of her reverse engineering process, she enjoys learning languages, skateboarding, and taking long walks (à la Paul Erdös).
You can find her online, in a few of the various corners of the internet she frequents at:
- Twitter: @nikaroxanne
- GitHub: @ic3qu33n and @nikaroxanne
- Website/Portfolio: https://ic3qu33n.fyi
- Mastodon: ic3qu33n@infosec.exchange
- Keybase: @ic3qu33n

  • GOP Complex: Image parsing bugs, EBC polymorphic engines and the Deus ex machina of UEFI exploit dev
Nils Rollshausen

Somehow — and without ever having owned more than an iPod — Nils fell down the Apple rabbit hole and now spends their days reverse-engineering Apple's devices and uncovering the bits of magic hiding inside the machines that surround us every day. After a long day of breaking things with Frida in new and interesting ways, they also enjoy building new stuff once in a while. Currently, they are pursuing a PhD in computer science at the Secure Mobile Networking Lab (SEEMOO) of TU Darmstadt.

  • WatchWitch — The Apple Watch Protocol Stack from Scratch
Oliver Lavery

Oliver Lavery's interest in security was born in the Montreal BBS scene, and came of age when he discovered anyone could dial into DATAPAC...

Today he's a Sr. Security Engineer at Element55, Amazon Devices and Services' vulnerability research team. He has a few decades of experience in defensive and offensive software security, reverse engineering, and vulnerability research for clients in hi-tech, finance, and critical infrastructure.

  • Breaking Z-Waves: How we use Symbolic Execution to find Critical RF Vulnerabilities
Pietro Fezzardi
  • Path of rev.ng-ance: from raw bytes to CodeQL on decompiled code
Rusty
  • Decompilation Panel
Satoshi Tanda

Satoshi (@standa_t) is a security researcher, software engineer, and trainer with over 15+ years of experience. He works on virtualization and security for game console and previously worked at security software vendors as a developer, researcher, and reverse engineer. In his spare time, he enjoys studying system software security and has discovered vulnerabilities in hypervisors, drivers, and UEFI firmware.

  • Hypervisor-enforced Paging Translation - The end of non data-driven Kernel Exploits?
Sergey Bratus
  • Decompilation Panel
Silvio

Dr. Silvio La Porta is CEO and Co-Founder at RETooling defining and developing Threat Actor emulation platform enabling red team to recreate a realist attack scenario. Previously he was a Senior Cyber Security Architect designing security products and researching advanced detection technology for complex malware/APT. Silvio previously was a lead research scientist with EMC Research Europe based in the Centre of Excellence in Cork, Ireland. His primary research focus areas were real-time network monitoring and data analysis in smart grids to detect malware activity in SCADA systems and corporate networks. He was also leading Security Service Level Agreement (Sec-SLA) and end user security/privacy protected data store projects for hybrid Cloud environment. He is a frequent speaker in professional and industry conferences. Before joining EMC, Silvio worked as a Malware Reverse Engineer in Symantec's Security Response team in Dublin, Ireland. Silvio holds a PhD in Computer Network Security from the University of Pisa, Italy.

  • An unexpected journey into Microsoft Defender's signature World.
Sina Kheirkhah

@SinSinology is a full time vulnerability researcher, pwn2own 202{2,3,4} contestant, Microsoft MVR 2022/2023

  • .NET Exploitation WorkShop
Sultan Qasim Khan

Sultan Qasim Khan is a Technical Director at NCC Group, one of the largest security consultancies in the world with over 35 global offices, 2,000 employees and 15,000 clients. Based in Waterloo, Ontario, Canada, he specializes in assessment and development of secure embedded systems and wireless communication protocols. Sultan is experienced working in the land between software and hardware, specializing in the security analysis of embedded systems and wireless protocols from the physical layer up. Sultan is the creator of Sniffle, the first open-source Bluetooth 5 sniffer, Sniffle Relay, the first Bluetooth LE link layer relay attack, and nOBEX, a tool for testing and fuzzing Bluetooth Classic profiles.

  • Reverse Engineering the PowerG Wireless Protocol
Takahiro Haruyama

Takahiro Haruyama is a reverse engineer with over 15 years of extensive experience and knowledge in malware/vulnerability research and digital forensics. He has spoken at several notable conferences including REcon, Virus Bulletin, HITB, DFRWS, SANS DFIR Summit, and BlackHat Briefings USA/Europe/Asia.

  • The Art of Malware C2 Scanning - How to Reverse and Emulate Protocol Obfuscated by Compiler
Tim Blazytko

Tim Blazytko is a well-known binary security researcher and co-founder of emproof. After working on novel methods for code deobfuscation, fuzzing and root cause analysis during his PhD, Tim now builds code obfuscation schemes tailored to embedded devices. Moreover, he gives trainings on reverse engineering & code deobfuscation, analyzes malware and performs security audits.

  • Unleashing AI: The Future of Reverse Engineering with Large Language Models
TOOOL

The mission of the Open Organisation Of Lockpickers is to advance the general public knowledge about locks and lockpicking. By examining locks, safes, and other such hardware and by publicly discussing our findings we hope to strip away the mystery with which so many of these products are imbued.

The more that people know about lock technology, the better they are capable of understanding how and where certain weaknesses are present. This makes them well-equipped to participate in sportpicking endeavors and also helps them simply be better consumers in the marketplace, making decisions based on sound fact and research.

The Open Organisation Of Lockpickers, or TOOOL, is an international group of lockpicking enthusiasts dedicated to advancing the general public knowledge about locks and lockpicking through teaching, research, and competition. TOOOL in the United States is a 501(c)(3) non-profit organization with Chapters in the United States and Canada.

  • Lockpick Village Friday
  • Lockpick Village Saturday
  • Lockpick Village Sunday
Travis Goodspeed

Travis Goodspeed is a reverse engineer of embedded systems from East Tennessee, where he has recently written a book on Microcontroller Exploits. His 1964 Studebaker with nine transistors and no firmware in the drive train, but there are always books on semiconductors in the back seat.

  • Chip Decapsulation Demo
  • GameBoy ROM Extraction
Yingjie Cao

Yingjie serves as the Security Lead at the 360 Automotive Security Research Lab. His primary focus lies in uncovering and exploiting automotive vulnerabilities, and binary analysis. His work has been accepted by both industry and academy, e.g. IEEE S&P and POC.

  • Smash the blackbox: Owning a car remotely by chaining up exploits