Welcome to the VB2021 conference!

arrow left Back

Breaking modern software protectors through exploitation

19:00 - 19:30 UTC Thu 7 Oct 2021
Nino Isakovic (Microsoft) & Dart Torstino (Microsoft)
Microsoft has had a very recent and unpleasant encounter with kernel-mode rootkits, where there turned out to be a plethora of Microsoft signed rootkits out in the wild. A lot of these drivers were protected with a variety of modern software obfuscations, the most prominent one being VMProtect, which prompted an initiative against these advanced forms of protections and their use in malware.

Our research will underline, in full, how this specific protector works, which in turn will shed light onto how all of them work in principle. We will also showcase a novel way of defeating this protector that, to the best of our knowledge, hasn't been demonstrated publicly yet. We plan to demonstrate how to leverage certain interfaces to, in a very real sense, break the entirety of the protection. We also plan to release a tool that can comprehensively unpack all latest versions of the protection and hopefully bring more attention to software protection as a whole and shed some much needed light on the mystery that enshrouds it. As a bonus, we will showcase, using essentially the same mechanisms, how to break a component a certain vendor has dubbed as "unbreakable" by leveraging these same techniques.

Got a question about this presentation? During the live broadcast post your question in the #q-and-a channel on Discord or, to get in touch with the speakers later, find them on Discord under the nickname DART_GB#6730.
Nino Isakovic

Nino is a senior security consultant and researcher for Microsoft's Detection and Response Team (DART), constantly engaged in incident responses all over the world. The team is in a unique position not only to tackle all the latest threats facing the company's customers, from every variety of APT for virtually any device, but also create original research from all of the threat actor activity that they are constantly engaged with.

Dart Torstino

Dart Torstino is a principal security consultant for Microsoft's Detection and Response Team (DART), and has been working at Microsoft for well over a decade. He brings decades worth of experience from analysing and troubleshooting on close to a dozen different architectures, to investigating every memory dump imaginable. He is well known internally for his uncanny wisdom.