Dynamic Binary Instrumentation Frameworks: I know you're there spying on me

Debuggers have been -and still are- the de-facto tool for dynamic analysis of programs. In the last decade a myriad of techniques to detect the presence of these kind of tools have been developed as a defensive measure to avoid the analysis of code during runtime.

Over the past few years, an alternative for dynamic code analysis appeared: Dynamic Binary Instrumentation (DBI) frameworks. These have gained popularity in the information security field, and their usage for reverse engineering tasks is increasing. Nowadays we have DBI-based tools that allow us to perform different kinds of jobs, such as covert debugging, shellcode detection, taint analysis, instruction tracing, automatic unpacking, and self-modifying code analysis, among others.

We believe that as DBI framework-based reverse engineering tools gain popularity, defensive techniques to avoid dynamic code analysis through instrumentation will arise. Our research pretends to be the starting point in the task of documenting and presenting different techniques to detect the presence of DBI framework-based tools.

During our talk we will show over a dozen techniques that can be used to determine if our code is being instrumented focusing on Pin, Intel's DBI framework. We will also release a benchmark-like open source tool, which allows to automatically test every technique discussed in the talk. We call this tool eXait, the eXtensible Anti-Instrumentation Tester.