FunCap
The presentation will be about a tool called FunCap (http://github.com/deresz/funcap). This script records function calls (and returns) across an executable using IDA Pro debugger API, along with all the arguments passed. It dumps this info and inserts it into IDA's inline annotations.
This way, static analysis that usually follows the behavioral runtime analysis when analyzing malware, can be directly fed with runtime info such as decrypted strings returned in function's arguments. In author's opinion this allows to understand the program's logic way faster than starting the "zero-knowledge" reversing. The plugin has earned the second prize in Hex-Rays Plug-In Contest 2013.
Speakers
 |
Andrzej Dereszowski |