Windows Defender under the microscope: a reverse engineer's perspective

Thursday 4 October 11:30 - 12:00, Red room

Alexei Bulazel (ForAllSecure)



Windows Defender's MpEngine.dll implements the core of Defender's anti-virus functionality in an enormous ~11MB, 45,000+ function DLL.

In 2017 and early 2018, I spent months reverse engineering Defender's JavaScript and Windows binary emulators as a personal project after Tavis Ormandy's release of 0-days in the engine piqued my interest. While my previous conference presentations have covered the deep technical inner workings of the engine, in this presentation I'd like to share a reverse engineer's perspective on Defender. How I, as an industry outsider, went about reverse engineering the engine, interacting with it, and fuzzing it.

Attendees will take away insights as to how reverse engineers might approach their emulators, the sort of intuition about an attack surface that a vulnerability researcher might bring to this analysis, and ultimately how they might better protect against researchers like me in the future.

 

Alexei-Bulazel-web.jpg

Alexei Bulazel

Alexei Bulazel is a security researcher at ForAllSecure. He has previously presented at research on reverse engineering anti-virus software at venues such as Black Hat, REcon, and ShmooCon, among others; and has published scholarly work on evasive malware techniques at USENIX WOOT and ROOTS. A graduate of Rensselaer Polytechnic Institute (RPI) and a proud alumnus of RPISEC, Alexei completed his M.S. under Dr Bülent Yener.

@0xAlexei


   Download slides

Other VB2018 papers

Exploiting ActionScript3 interpreter

Boris Larin (Kaspersky Lab)
Anton Ivanov (Kaspersky Lab)

VB2018 opening address

Martijn Grooten (Virus Bulletin)

TBA

Back to VB2018 Programme page

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.