P2Ep17: 2005-2010 - Process Emulator I
From this video you will learn about evolution of CPU emulator into the process emulator and how it helped to unpack custom packers and polymorphic malware.
CORRECTIONS:
I don't know why my brain constantly substituting FS segment register with ES, but of course to get PEB/TEB on 32 bit Intel CPU the program uses FS segment register.
I have missed emulation of the system libraries as 3rd thing which must be emulated. Of course they are needed for shellcode or position-independent code emulation, since the shell code will use PEB to derive API addresses from system libraries directly. Thus, together with PEB/TEB, the process emulator needs to execute system DLLs (kernel32, ntdll, advapi32, etc.)
#malware #antimalware #cpu #process #emulator #detection
#cyberdefense #cybersecurity
#cyber #cyberllama #cyberllamatalks
00:00 Intro
00:15 CPU Emulator Quick Review
02:07 Process Emulator
02:50 Emulation of Process Structures
04:50 CALL and JMP instructions
06:02 API emulation
07:42 SYSCALL/SYSENTER/INT2Eh
08:45 FS emulation
09:31 Passthrough for FS emulation
10:34 Network emulation
12:27 Conclusion
Смотрите видео P2Ep17: 2005-2010 - Process Emulator I онлайн, длительностью часов минут секунд в хорошем качестве, которое загружено на канал Cyber Llama Talks 06 Февраль 2023. Делитесь ссылкой на видео в социальных сетях, чтобы ваши подписчики и друзья так же посмотрели это видео. Данный видеоклип посмотрели 55 раз и оно понравилось 3 посетителям.
