Dynamic Binary Instrumentation Frameworks: I know youre there spying on me

Debuggers have been and still are the de-facto tool for dynamic analysis of programs. In the last decade a miriad of techniques to detect the presence of these kind of tools have been developed as a defensive measure to avoid the analysis of code during runtime.

For some years now we have an alternative for dynamic code analysis: Dynamic Binary Instrumentation (DBI) frameworks. These have gained popularity in the information security field, and its usage for reverse engineering tasks is increasing. Nowadays we have DBI-based tools that allow us to perform different kinds of jobs, such as covert debugging, shellcode detection, taint analysis, instruction tracing, automatic unpacking, and self-modifying code analysis, among others.

We believe that as DBI frameworks-based reverse engineering tools will gain popularity, defensive techniques to avoid dynamic code analysis through instrumentation will arise. Our research pretends to be the starting point in the task of documenting and presenting different techniques to detect the presence of DBI frameworks-based tools.

During our talk we will show more than a dozen techniques that can be used to determine if our code is being instrumented, focusing on Pin, the Intel's DBI framework. Besides that, we'll also release a benchmark-like tool (eXait, the eXtensible Anti-Instrumentation Tester), which allows to automatically test every technique discussed during our talk.