Alexander Sotirov - Reverse Engineering Microsoft Binaries

One of the applications of reverse engineering in computer security is the analysis of operating systems and software for which no source code is available. Most commonly the target is Microsoft Windows, and the goal is to find new 0-day vulnerabilities or to understand the full impact of old bugs. Reverse engineering Microsoft software presents numerous challenges. Based on his experience with reversing all Microsoft patches from the last 6 months, the speaker will present a number of techniques for improving the accuracy of the disassembly output and automating the reverse engineering process. He will begin with an overview of the differences between analyzing Microsoft binaries and other forms of reverse engineering, such as disassembling malware. He will cover common MSVC compiler optimizations, function chunking, C++ vtables, COM objects, exception handling and more. In the second part of the presentation he will focus on the problems with loading symbols and improving the results of the IDA Pro autoanalysis. Finally, he will release the source code of an IDA plugin that improves symbol loading and fixes common disassembly problems. Most of the information presented is applicable to non-Microsoft applications as well, but the examples he provides focus on my experience with reversing Microsoft patches.


Alexander Sotirov has been involved in computer security since 1998, when he became one of the editors of Phreedom Magazine, a Bulgarian underground technical publication. For the past eight years he has been working on reverse engineering, exploit code development and research in automated source code auditing. His most well-known work is the development of highly reliable exploits for Apache/mod_ssl, ProFTPd and Windows ASN.1. He graduated with a Master's degree in computer science in 2005. His current job is as a chief reverse engineer on the security research team at Determina Inc, a HIPS startup in Redwood City, CA.