Our mission

whoami

Lars Haukli, Founder

At the age of 12, I was falsely accused of infecting my neighbor's PC with a computer virus. I had absolutely no idea how a virus worked, and I certainly had nothing to do with it spreading to that machine! All I wanted was to play a video game. 

​

This event as a child sparked an interest in a dark and mysterious field of computer science. Fast-forward to today and I have spent the last decade designing and developing anti-malware, and malware analysis technology for the largest cybersecurity players on the planet.

​

With 0xepic I am creating the malware analysis system of the future: One that empowers analysts to achieve incredible things by giving them the upper hand in the evasion game, and making it easy for them to scale up their efforts with automation.

Selected Previously Published Research

Exposing Bootkits with BIOS Emulation

Black Hat USA, Las Vegas, August 7, 2014
RSA Conference, San Francisco, February 25, 2014

The security features added in modern 64-bit versions of Windows raise the bar for kernel mode rootkits. The  introduction of Driver Signature Enforcement prevents malware from loading an unsigned kernel mode driver. PatchGuard was introduced to protect the integrity of the running kernel, in order to prevent rootkits from modifying critical structures or hooking system calls. Although time has shown that these security measures are not perfect, and may in fact be bypassed while actively running, an alternative approach is to subvert the system by running code before any of the security features kick in.

Secure Boot has been introduced to protect the integrity of the boot process. However, the model only works when booting from signed firmware (UEFI). Legacy BIOS systems are still vulnerable. The Master Boot Record, Volume Boot Record, and the bootstrap code all reside in unsigned sectors on disk, with no security  features in place to protect them from modification.

Using a combination of low level anti-rootkit techniques, emulation, and heuristic detection logic, we have  devised a way to detect anomalies in the boot sectors for the purpose of detecting the presence of bootkits.

Hypervisor Debugging with radare2

44CON, London, September 14, 2017

r2con, Barcelona, September 8, 2017

​

Reverse engineering protected code operating in kernel mode can be challenging. More advanced protection mechanisms typically combine obfuscation or encryption with techniques that hinder dynamic analysis. Some code will not run at all when certain debugging features are enabled by the OS.

radare2 is a comprehensive open-source framework for reverse engineering, that takes you to a magical world where control flow graphs of disassembled code are displayed in ASCII art. The framework combines a vast set of code analysis capabilities, which you can make use of in a variety of ways.

Enter the idea of connecting radare2 to a virtual machine, giving it direct access to guest physical memory. The intent is to debug Ring0 code running inside the guest, with the debugging mechanism operating exclusively on the host.