Don’t flatten yourself: restoring malware with Control-Flow Flattening obfuscation
Control-Flow Flattening (CFF) is an obfuscation/anti-analysis technique used by malware authors. Its goal is to alter the control flow of a function to hinder reverse engineering. Using CFF makes static analysis complex and increases the time investment for the analyst significantly. Malware authors have already discovered this, and a steady increase can be seen in malware samples that use CFF. Soon every analyst will have to face it daily, which calls for know-how and tooling to help them.
This presentation intends to provide the needed know-how and tooling. First, we will discuss the general approach to fighting CFF. We will discuss identifying CFF and which components are essential to restore the control flow.
We will compare three different approaches to fight CFF: basic pattern matching, emulation, and symbolic execution. Their implementation will be demonstrated as IDAPython scripts.
Mr. Geri Revay
Geri has more than 13 years of experience in cybersecurity. He started on this path as he specialized in network and information security in his M.Sc. in computer engineering. Since then, he has worked as a QA engineer for a security vendor, then changed to penetration testing first as an external consultant and then as an internal consultant at Siemens. He is a hacker at heart and a consultant by trade. He worked on both IT and OT systems. In the past years, he focused on security research in binary analyses and reverse engineering, which led him to Fortinet. At FortiGuard Labs, he currently does malware analysis and reverse engineering related research