Level: Advance Subject Matter

Abstract:
Binary instrumentation involves inserting code into compiled executables to monitor, analyze, or modify their behavior either at runtime (dynamic) or before execution (static) without altering the original source code. Static binary instrumentation (SBI) injects code before a binary runs, typically by modifying the file on disk, whereas dynamic binary instrumentation (DBI) operates in memory while the program runs. These techniques are widely used for profiling, debugging, tracing, security analysis, and reverse engineering.

Modern malware analysis often encounters obstacles when using traditional static or interactive methods. Dynamic Binary Instrumentation (DBI) offers an alternative by allowing researchers to monitor and modify a program’s instructions during runtime. This talk will introduce DynamoRIO, a framework designed for this purpose. It functions by intercepting code before it reaches the processor, providing a transparent view of malicious behavior that might otherwise be hidden by packing or obfuscation.

The presentation will cover the practical application of the framework, starting with its built-in tools for tasks such as code coverage and memory monitoring. We will then examine the process of writing custom clients using the provided API. This allows for the creation of specialized scripts that can automate the extraction of payloads or the logging of specific system calls, making the analysis process more efficient when dealing with complex samples.

A significant portion of the discussion will focus on how DynamoRIO performs when faced with common anti-analysis techniques. Malware frequently employs methods to detect debuggers or virtual environments to prevent execution. We will look at how the framework handles these challenges, specifically its ability to bypass timing-based checks and other detection mechanisms. This evaluation is based on research into the transparency of the instrumentation process and its effectiveness in maintaining a steady analysis environment.

By the end of the session, attendees will have a functional understanding of how to integrate DBI into their analysis workflows. The talk aims to provide a clear view of the framework’s capabilities and its practical use cases in the context of threat research. Participants will be familiar with the methods needed to deploy and customize DynamoRIO for their own investigative requirements.

Bio:
Vanja Svajcer works as a Threat Researcher at Cisco Talos. Vanja enjoys tinkering with automated analysis systems, reversing binaries and analysing mobile malware. He thinks time spent scraping telemetry data to find indicators of new attacks is well worth the effort. He presented his work at conferences such as FSec, Bsides, Virus Bulletin, RSA, CARO, AVAR, BalcCon and others.

Posted on Friday, February 27th, 2026 at 11:16 am in talks | rss feed for comments| Responses are currently closed, but you can trackback from your own site.