P2Ep17: 2005-2010 - Process Emulator I
From this video you will learn about evolution of CPU emulator into the process emulator and how it helped to unpack custom packers and polymorphic malware.
CORRECTIONS:
I don't know why my brain constantly substituting FS segment register with ES, but of course to get PEB/TEB on 32 bit Intel CPU the program uses FS segment register.
I have missed emulation of the system libraries as 3rd thing which must be emulated. Of course they are needed for shellcode or position-independent code emulation, since the shell code will use PEB to derive API addresses from system libraries directly. Thus, together with PEB/TEB, the process emulator needs to execute system DLLs (kernel32, ntdll, advapi32, etc.)
#malware #antimalware #cpu #process #emulator #detection
#cyberdefense #cybersecurity
#cyber #cyberllama #cyberllamatalks
00:00 Intro
00:15 CPU Emulator Quick Review
02:07 Process Emulator
02:50 Emulation of Process Structures
04:50 CALL and JMP instructions
06:02 API emulation
07:42 SYSCALL/SYSENTER/INT2Eh
08:45 FS emulation
09:31 Passthrough for FS emulation
10:34 Network emulation
12:27 Conclusion
Watch video P2Ep17: 2005-2010 - Process Emulator I online, duration hours minute second in high quality that is uploaded to the channel Cyber Llama Talks 06 February 2023. Share the link to the video on social media so that your subscribers and friends will also watch this video. This video clip has been viewed 55 times and liked it 3 visitors.
