Reverse Engineering

Reverse Engineering – Overview

With the number and sophistication of cyber attacks constantly increasing, the traditional means for dissecting and reverse engineering these attacks no longer holds true.  Inspecting single applications for suspect behavior and known signatures is falling further and further behind the curve. The world of exploits has moved very quickly from targeting a single application, to targeting an entire system, not only to perform the intended behavior, but also to hide from traditional detection and analysis means.The WindowsSCOPE line of products provides a unique look into a Windows-based systems and their components.  By directly accessing both user-level and kernel-level applications and data structures in memory, an industry-unique system-wide reverse engineering is becomes possible. In addition to the concept of system-wide reverse engineering, WindowsSCOPE also introduces the ability to include time as a dimension in reverse engineering.  Through the intra-snapshot comparison feature, users can see exactly how and what has changed in a system over time.

WindowsSCOPE Cyber Forensics takes the concept of reverse engineering even further.  Users can also perform a live memory fetch of the local computer, which is then automatically converted into a format showing all of the key operating system structures, running processes and drivers, loaded DLLs and much more.  Based on this information, reverse engineering at the system level has already been done for you.  Raw code view, disassembly view as well as a graphical representation and traversal of each process’s/driver’s/DLL’s functionality also assists in a more targeted reverse engineering. WindowsSCOPE supports annotations so a user can save his or her work into an associated database.

Finally, WindowsSCOPE Remote Fetch add-on can be used to support remote authenticated fetch. After installing a driver in a machines of interest, regular fetches and analyses can be scheduled. Please contact us for more information regarding this feature.