logo
allArticlesConferencesPresentations

Next Generation Process Emulation with Binee

Conference:  Defcon 27

2019-08-01

Summary

Benny is a lightweight dynamic binary analysis tool that uses hooks to capture system calls and intermediate CPU instructions to analyze malware. It aims to increase the fidelity of its output by adding more high-quality hooks and expanding its compatibility with different operating systems.
  • Benny is a dynamic binary analysis tool that captures system calls and intermediate CPU instructions to analyze malware
  • It uses hooks to achieve this and can display the state of all registers and part of the stack in between every CPU instruction
  • Benny is currently only compatible with Windows binaries, but the developers plan to add support for UNIX and Mac OS binaries in the future
  • The tool is lightweight and can handle large data sets quickly
  • The developers plan to add more high-quality hooks to increase the fidelity of Benny's output
  • Benny is open source and available for public use
The speaker mentioned that Benny was used for debugging to identify where a program was crashing. They also showed an example of malware being analyzed by Benny, which opened a file for reading and another temporary file for writing, followed by a series of read and write operations.

Abstract

The capability to emulate x86 and other architectures has been around for some time. Malware analysts have several tools readily available in the public domain. However, most of the tools stop short of full emulation, halting or doing strange things when emulating library functions or system calls not implemented in the emulator. In this talk we introduce a new tool into the public domain, Binee, a Windows Process emulator. Binee creates a nearly identical Windows process memory model inside the emulator, including all dynamically loaded libraries and other Windows process structures. Binee mimics much of the OS kernel and outputs a detailed description of all function calls with human readable parameters through the duration of the process. We've designed Binee with two primary use cases in mind; data extraction at scale with a cost and speed similar to common static analysis tools, and second, for malware analysts that need a custom operating system and framework without the overhead of spinning up various configurations of virtual machines. Currently Binee can run on Windows, OS X, and Linux.
Materials:
Slides
Tags:

Post a comment

Related work

Death to the IOC: What's Next in Threat Intelligence

Conference:  BlackHat USA 2019
Authors:
2019-08-08

Demigod: The Art of Emulating Kernel Rootkits

Conference:  BlackHat USA 2020
Authors:
2020-08-05

Analyzing Windows Malware on Linux: Getting Started Tips and Examples

Conference:  RSA Conference 2021
Authors:
2021-05-17

Blasting Event-Driven Cornucopia: WMI-based User-Space Attacks Blind SIEMs and EDRs

Conference:  Black Hat USA 2022
Authors:
2022-08-10

Malware Classification With Machine Learning Enhanced by Windows Kernel Emulation

Conference:  Black Hat USA 2022
Authors:
2022-08-11

Perfectly Deniable Steganographic Disk Encryption

Conference:  BlackHat EU 2018
Authors:
2018-12-06