Binee: Complete Emulation of Advanced Malware

John Holowczak
Carbon Black

Track 1

The capability to emulate x86 and other architectures has been around for some time, with several tools readily available in the public domain. However, most of the tools stop short of full emulation, halting or doing strange things when emulating library functions or system calls not implemented in the emulator. In this talk, we introduce a new tool into the public domain: Binee, a Windows Process emulator. Binee creates a nearly identical Windows process memory model inside the emulator, including all dynamically loaded libraries and other Windows process structures. Binee mimics much of the OS kernel and outputs a detailed description of all function calls with human-readable parameters through the duration of the process. We’ve designed Binee to collect dynamic analysis data with a speed similar to common static analysis tools; this includes gathering data about obfuscated or packed function calls that are not visible to static tools. Included with Binee is a debug mode which resembles gdb and allows breaking, memory and register, and function parameter modifications. Binee is meant to be a framework to build on for further projects; ELF and Mach-O binaries are a future target. While it does have roots in infosec from a malware perspective, it can be a handy tool in a hacker’s arsenal for rapid examination of control flow and function arguments, aspects often studied by reverse engineers and vulnerability researchers. Currently, Binee can run on Windows, OS X, and Linux.

About John Holowczak

John is a Threat Researcher on Carbon Black's Threat Analysis Unit, focusing on automation of threat detection and building out infrastructure for large scale malware analysis. Within the field of threat detection and analysis, John specializes his research in binary classification, dynamic analysis and reverse engineering.