This year was my first time at REcon, most of the talks were pretty genuine, I have to mention also that Montreal is an awesome city 🙂
My talk for this year was to describe how to build a tailored operating system that will be executed using an emulator (be it Bochs, qemu, VMWare, …) for the purpose of debugging malware, shellcode or any other code snippet.
An existing emulator will be leveraged (instead of building an emulator from scratch, which can be time consuming and error prone).
Later, I describe how to write a program that can construct a custom disk image containing a tailored operating system to run a specific piece of code or malware.
The following design aspects were covered:
- disk structure: file system design and file format structure
- booting process: page table setup, GDT/IDT setup and exception dispatching
- the host: the role played by the host
- host/guest interaction: communication method used to exchange information between the host and the guest
- os environment: system structures and the memory layout of the main program and its dependencies
- API emulation: customization of APIs using scripts (Python, …) or native code (asm or C code)
- debugging: debugging facilities using Bochs’ built-in debugger
- use cases: malware and shellcode debugging
The slides can be downloaded from here.
Special thanks to the organizers Hugo Fortier and David Mirza.