DynamoRIO and similar dynamic binary instrumentation (DBI) systems are used for program analysis, profiling, and comprehensive manipulation of binary applications. These DBI tools are critical for malware analysis, program feature collections, and virtual machine binary translations. An important aspect of these DBI tools is the transparent feature, i.e. the binary application (such as malware) being analyzed is not modified and is not aware of the runtime code manipulation.
This presentation shows techniques that break the transparency feature of popular DBI tools (such as DynamoRIO and PIN). We will provide code that presents different behaviors when running on native hosts vs. running with DBI and vs. running on VM. The detection is based on specially crafted X86 instruction sequences that expose the fundamental limitation of binary instrument and translation. In this talk, we will also present position independent NOP sequences that can be used to help evade detections and differentiate different types of X86 decoders.