There is a change in the program with a new speech “Peeking into Pandora’s Bochs: instrumenting a full system emulator to analyse malicious software” by Lutz Böhne (RedTeam Pentesting GmbH) which will be replacing BSDaemon talk (we’re really sorry he cannot attend the conference, that would have been great to see Rodrigo here. Next time!).

Abstract:
Today, malicious software (malware) poses a major threat to computer systems. Oftentimes, malware is runtime-packed (or -encrypted) to evade signature-based malware detectors and to make the actual malicious code inaccessible to static analysis methods. It is also common for the runtime unpacking (or decryptor) stubs to employ anti-debugging techniques to prevent dynamic analysis and manual unpacking by human analysts. Pandora’s Bochs was originally developed as a tool to unpack runtime-packed binaries. The open source PC emulator Bochs’s instrumentation facilities were extended with a Python interface and a set of Python routines was created to monitor an unmodified Windows XP guest system. It can identify and instrument individual processes, trace memory writes and branches, and dump process memory when a modified memory region is executed. This method works well against common runtime-packers. As Pandora’s Bochs does not rely on debugging facilities provided by the guest system, it is largely unaffected by common anti-debugging techniques. Since its inception as an automated unpacker, Pandora’s Bochs was extended to also monitor calls to the Windows API and their arguments. The presentation will focus on the technical aspects of Pandora’s Bochs. It will give a brief overview of typical runtime packer or executable protector behaviour, about Bochs’s instrumentation facilities and the Python interface that was created. It will detail the techniques used to obtain information about guest operating system and process states, how processes are monitored and unpacked, and how API call tracing is implemented. Like Bochs, Pandora’s Bochs is open source software.

Lutz Böhne studied Computer Science at RWTH Aachen University where he graduated in 2008. He is currently working as a penetration tester for
RedTeam Pentesting GmbH, a company specialised in penetration tests.
More information about RedTeam Pentesting can be found at http://www.redteam-pentesting.de