Ivan Fontarensky
Last known affiliation: Thales
Ivan Fontarensky 🗣
Abstract (click to view)
Disass is a binary analysis framework written in Python to automate static malware reverse engineering. Currently Disass is not designed to handle packed binary as static unpacking is a pretty tough task on its own.
The approach is simple : it’s stupid to repeat the same reverse engineering steps for the same malware again and again. The framework allows a reverser to describe in a simple way the individual steps that have to be done and replay it automatically. Currently, such task can be achieved by relying on bytes patterns, regular expressions and probably fixed offsets. Our approach tends to understand the assembly code and Disass is able to follow the structure, analyze the stack to extract function arguments, etc.
This leads to signatures that are far more easy to understand and thus to maintain.
Last advantage but no least, by describing assembly code “checkpoints” instead of a byte pattern, the signature is not impacted by junk code or the compiler version generating different variants of assembly.