There is evil in this world. On the Internet, evil is known as malware. We are creating a brand new reverse engineering experience that gives the growing community of malware analysts an advantage over the players on the dark side.
Lars Haukli, Founder
At the age of 12, I was falsely accused of infecting my neighbor's PC with a computer virus. I had absolutely no idea how a virus worked, and I certainly had nothing to do with it spreading to that machine! All I wanted was to play a video game.
This event as a child sparked an interest in a dark and mysterious field of computer science. Fast-forward to today and I have spent the last decade designing and developing anti-malware, and malware analysis technology for the largest cybersecurity players on the planet.
With 0xepic I am creating the malware analysis system of the future: One that empowers analysts to achieve incredible things by giving them the upper hand in the evasion game, and making it easy for them to scale up their efforts with automation.
Selected Previously Published Research
Exposing Bootkits with BIOS Emulation
Black Hat USA, Las Vegas, August 7, 2014
RSA Conference, San Francisco, February 25, 2014
The security features added in modern 64-bit versions of Windows raise the bar for kernel mode rootkits. The introduction of Driver Signature Enforcement prevents malware from loading an unsigned kernel mode driver. PatchGuard was introduced to protect the integrity of the running kernel, in order to prevent rootkits from modifying critical structures or hooking system calls. Although time has shown that these security measures are not perfect, and may in fact be bypassed while actively running, an alternative approach is to subvert the system by running code before any of the security features kick in.
Secure Boot has been introduced to protect the integrity of the boot process. However, the model only works when booting from signed firmware (UEFI). Legacy BIOS systems are still vulnerable. The Master Boot Record, Volume Boot Record, and the bootstrap code all reside in unsigned sectors on disk, with no security features in place to protect them from modification.
Using a combination of low level anti-rootkit techniques, emulation, and heuristic detection logic, we have devised a way to detect anomalies in the boot sectors for the purpose of detecting the presence of bootkits.
Hypervisor Debugging with radare2
44CON, London, September 14, 2017
r2con, Barcelona, September 8, 2017
Reverse engineering protected code operating in kernel mode can be challenging. More advanced protection mechanisms typically combine obfuscation or encryption with techniques that hinder dynamic analysis. Some code will not run at all when certain debugging features are enabled by the OS.
radare2 is a comprehensive open-source framework for reverse engineering, that takes you to a magical world where control flow graphs of disassembled code are displayed in ASCII art. The framework combines a vast set of code analysis capabilities, which you can make use of in a variety of ways.
Enter the idea of connecting radare2 to a virtual machine, giving it direct access to guest physical memory. The intent is to debug Ring0 code running inside the guest, with the debugging mechanism operating exclusively on the host.