RE-Detector is the second phase of a project that started with the survey of reverse engineering tools.  RE-Detector was developed as a solution to two separate problems, described in the following two scenarios:

A software developer creates specialized software that he or she knows will be a victim of reverse engineering.  In order to protect the software, the developer uses conventional anti-reverse engineering techniques of obfuscation and antidebugging, but wants an extra layer of security.  The developer wants to be able to detect the presence of reverse engineering tools on the system, and choose whether to run the program based on the search results.

The second scenario is:

A software developer is distributing software on an embedded system which they suspect will be subject to reverse engineering.  The developer wants to know whether the customer is violating their terms of service and reverse engineering the code on their systems, and has periodic access to the machines.

Solution

The solution to the problem is RE-Detector.  RE-Detector works much like a virus detection utility, searching the system for any traces of reverse engineering tools.  RE-detector is designed to be cross-platform in nature, and has been tested to work on both Microsoft Windows XP and Linux.  RE-Detector is written in C and python, and can detect reverse engineering tools by distinct files, registry keys, and system logs. These logs include Dr. Watson crash logs, Windows event logs, and error logs.  Re-Detector is also capable of finding traces of reverse engineering tools that were once on a system but have since been removed.

A second phase of the RE-detector project was also undertaken that updated the RE-detector code to enhance its stability and detect whether the software was being run within a virtual machine.  The motivation behind this added feature is that a software engineer can use virtual machine to compartmentalize the software and run it in an environment that appears to be free of reverse engineering tools, while the tools on the underlying operating sytem can be used to manipulate and reverse engineer the software.

The resulting tool can be used as a stand-alone tool, much in the way that an antivirus tool is used.  The GUI for the tool was coded in GTK+.  In this form, RE-detector is useful as a forensic utility.  RE-Detector can also be called from other applications via an API.  In this form, RE-detector can be used as a protection technique and run in the background, cheking a system to ensure it is safe for sensitive software to execute.

Personnel

Students

John O’Meara – Software development during first phase

Ray Canzanese – Reverse engineering tool footprint development

Kevin Lynch – Software development during second phase.  Virtual machine detection.

Faculty

Spiros Mancoridis

Moshe Kam