Jared Nishikawa

VMware

Next Generation Process Emulation with Binee (pdf, demo, video)

The capability to emulate x86 and other architectures has been around for some time. Malware analysts have several tools readily available in the public domain. However, most of the tools stop short of full emulation, halting or doing strange things when emulating library functions or system calls not implemented in the emulator. In this talk we introduce a new tool: Binee (Binary Emulation Environment), a Windows Process emulator. Binee creates a nearly identical Windows process memory model inside the emulator, including all dynamically loaded libraries and other Windows process structures. Binee mimics much of the OS kernel and outputs a detailed description of all function calls with human readable parameters through the duration of the process.

One of the primary benefits Binee provides is data extraction at scale, with a cost and speed similar to common static analysis tools. For the data scientist doing binary analysis, static analysis is the primary source of data in much of the literature. This is due to the cost and complexity required to do static analysis vs dynamic analysis; static analysis being cheap and fast, dynamic analysis being slow and expensive. Binee offers an increase in useful data extracted but at a cost similar to static analysis tools. Binee can run in the cloud at scale and output structured data to be analyzed.

Currently, our goal is to develop Binee to the point that it will extract useful data for all or most Windows executables, and then use that data to create a much richer feature set than we would get with only static analysis. This would allow us to create, for example, better classifiers for malware.